RE: clarifications needed re safe form editor cert matching algorithm from Close, Tyler J. on 2007-10-11 (public-wsc-wg@w3.org from October 2007)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Thu, 11 Oct 2007 21:01:03 -0000
To: <public-wsc-wg@w3.org>
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AFFC8496@G3W0072.americas.hpqcorp.net>

Perhaps there's some way to finesse this part of the algorithm by
reference to RFC 2818. I'll work on it.
 
Many sites don't seem to be using this cert feature. For a fun example,
visit the following URL using IE7.
 
https://bankofamerica.com/
 
--Tyler


________________________________

	From: Ian Fette [mailto:ifette@google.com] 
	Sent: Thursday, October 11, 2007 12:48 PM
	To: Close, Tyler J.
	Cc: public-wsc-wg@w3.org
	Subject: Re: clarifications needed re safe form editor cert
matching algorithm
	
	
	It is in huge use. For example. if you go to
https://signin.ebay.com and look at the cert - the CN is signin.ebay.com
but the certificate subject alt name lists: 
	
	Not Critical
	DNS Name: signin.cafr.ebay.ca
	DNS Name: signin.ebay.ca
	DNS Name: signin.ebay.com.au 
	DNS Name: signin.ebay.com.cn
	DNS Name: signin.express.ebay.com
	DNS Name: signin.half.ebay.com 
	DNS Name: signin.liveauctions.ebay.com
	DNS Name: signin.shopping.ebay.com
	DNS Name: signin.tw.ebay.com
	DNS Name: signin.ebay.com
	
	and if you go to https://signin.ebay.de you again get a cert
with CN= signin.ebay.com <http://signin.ebay.com>  but alt names of: 
	Not Critical
	DNS Name: signin.befr.ebay.be
	DNS Name: signin.benl.ebay.be
	DNS Name: signin.ebay.at
	DNS Name: signin.ebay.be
	DNS Name: signin.ebay.co.uk
	DNS Name: signin.ebay.de
	DNS Name: signin.ebay.es
	DNS Name: signin.ebay.fr
	DNS Name: signin.ebay.ie
	DNS Name: signin.ebay.nl
	DNS Name: signin.express.ebay.co.uk
	DNS Name: signin.ebay.com
	
	
	So yeah, it's important.
	
	On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote: 




		Thomas Roessler wrote:
		> going through the matching algorithm while folding it
in...
		>
		> - The current language confuses attributes and fields.
I suspect
		>   that you mean the various attributes of the Subject
certificate 
		>   field.  Please confirm.
		
		The CN, O, L, ST and C values I refer to are the ones in
the set
		referred to by the Subject field in the end entity
certificate. Not sure
		how to be any more specific about this in PKIXese. 
		
		> - I notice that you have some rules that concern
matching the CN
		>   attribute, but none concerning subjectAltName.  I'm
happy to
		>   simply track this point as an issue.
		
		Could you point me to a document covering the semantics
of 
		subjectAltName? Is it in use in X.509 certs on the Web?
		
		> Also, I'll open an issue to track the "PKI orthodoxy"
remarks that
		> Hal had made at the face-to-face, and will link to
that issue from 
		> the draft.
		
		Thanks,
		--Tyler

Received on Thursday, 11 October 2007 21:03:32 UTC