Re: ACTION-520: Security considerations for wildcards (ISSUE-216) from Joe Steele on 2008-11-10 (public-wsc-wg@w3.org from November 2008)

From: Joe Steele <steele@adobe.com>
Date: Mon, 10 Nov 2008 12:23:56 -0800
To: Mary Ellen Zurko <mzurko@us.ibm.com>, "Thomas Roessler <tlr" <tlr@w3.org>
CC: WSC WG <public-wsc-wg@w3.org>
Message-ID: <C53DD85C.423D%steele@adobe.com>

I did have one question regarding the precedence of subjectAltName over commonName. What is the argument for this?

I have seen certificates where the subjectAltName was used for a Unicode version of the commonName and I have seen cases where it is used for a URI where more information (about the subject) can be retrieved. For the first case precedence seems appropriate, but in the second it does not. Are we pretty confident that the second case is rare? I admit that I have not seen this in SSL certificates, only those used for authentication and digital signatures.

Joe

On 11/7/08 1:19 PM, "Mary Ellen Zurko" <mzurko@us.ibm.com> wrote:


I'm taking lack of discussion as consensus on the item for the security considerations text. Anil, I'll create an editorial action for this.

For the rest, it seems a bit vague to declare anything.

         Mez




From:Thomas Roessler <tlr@w3.org>
To:WSC WG <public-wsc-wg@w3.org>
Date:10/06/2008 08:33 AM
Subject:ACTION-520: Security considerations for wildcards (ISSUE-216)
Sent by:public-wsc-wg-request@w3.org
________________________________




I propose to add the following security considerations text:

 >>>>>
<head>Deriving human-readable information from domain-validated
certificates</head>

<p>For domain validated certificates, none of the ordinary human-
readable information provided in a certificate is actually attested
to; instead, a binding between public key a domain name (or wildcard)
is created.  Therefore, <specref ref="signal-content"/> provides that,
as a fall-back of last resort, a domain name retrieved from the
subject's subjectAltName extension, or from the Common Name attribute,
should be displayed.</p>

<p>This specification does not suggest displaying the domain name used
in the source URI, since that domain name may be under the control of
an attacker.  We consider it less risky to display a string like
"*.example.com", than "bigbank.example.com" when the binding that was
attested is one to "*.example.com".</p>
<<<<<

I believe that, additionally, there should be a change in 6.1.1 that
gives subjectAltName precedence over Common Name; I don't see a
specific action item to make that change.

Also, writing this text, it occurs to me that we nowhere say that a
domain name should always be shortened from the left, never from the
right.  I suspect that the identity signal content section might be
usefully hold that piece of advice.

Thoughts anybody?

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 10 November 2008 20:24:40 UTC