Re: clarifications needed re safe form editor cert matching algorithm from Ian Fette on 2007-10-11 (public-wsc-wg@w3.org from October 2007)

From: Ian Fette <ifette@google.com>
Date: Thu, 11 Oct 2007 14:08:19 -0700
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: public-wsc-wg@w3.org
Message-ID: <bbeaa26f0710111408i5d7fe11cra33ed00067b2cdf@mail.gmail.com>

bankofamerica.com does not use an alt-name. What's the point? (And for those
of us who aren't using IE7, I'm assuming you just get a common name mismatch
error, or what?) if eBay uses it, then I think you need to be worried about
breaking it.

On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote:
>
>  Perhaps there's some way to finesse this part of the algorithm by
> reference to RFC 2818. I'll work on it.
>
> Many sites don't seem to be using this cert feature. For a fun example,
> visit the following URL using IE7.
>
> https://bankofamerica.com/
>
> --Tyler
>
>  ------------------------------
> *From:* Ian Fette [mailto:ifette@google.com]
> *Sent:* Thursday, October 11, 2007 12:48 PM
> *To:* Close, Tyler J.
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: clarifications needed re safe form editor cert matching
> algorithm
>
> It is in huge use. For example. if you go to https://signin.ebay.com and
> look at the cert - the CN is signin.ebay.com but the certificate subject
> alt name lists:
>
> Not Critical
> DNS Name: signin.cafr.ebay.ca
> DNS Name: signin.ebay.ca
> DNS Name: signin.ebay.com.au
> DNS Name: signin.ebay.com.cn
> DNS Name: signin.express.ebay.com
> DNS Name: signin.half.ebay.com
> DNS Name: signin.liveauctions.ebay.com
> DNS Name: signin.shopping.ebay.com
> DNS Name: signin.tw.ebay.com
> DNS Name: signin.ebay.com
>
> and if you go to https://signin.ebay.de you again get a cert with CN=signin.ebay.combut alt names of:
> Not Critical
> DNS Name: signin.befr.ebay.be
> DNS Name: signin.benl.ebay.be
> DNS Name: signin.ebay.at
> DNS Name: signin.ebay.be
> DNS Name: signin.ebay.co.uk
> DNS Name: signin.ebay.de
> DNS Name: signin.ebay.es
> DNS Name: signin.ebay.fr
> DNS Name: signin.ebay.ie
> DNS Name: signin.ebay.nl
> DNS Name: signin.express.ebay.co.uk
> DNS Name: signin.ebay.com
>
>
> So yeah, it's important.
> On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote:
> >
> >
> >
> >
> > Thomas Roessler wrote:
> > > going through the matching algorithm while folding it in...
> > >
> > > - The current language confuses attributes and fields.  I suspect
> > >   that you mean the various attributes of the Subject certificate
> > >   field.  Please confirm.
> >
> > The CN, O, L, ST and C values I refer to are the ones in the set
> > referred to by the Subject field in the end entity certificate. Not sure
> > how to be any more specific about this in PKIXese.
> >
> > > - I notice that you have some rules that concern matching the CN
> > >   attribute, but none concerning subjectAltName.  I'm happy to
> > >   simply track this point as an issue.
> >
> > Could you point me to a document covering the semantics of
> > subjectAltName? Is it in use in X.509 certs on the Web?
> >
> > > Also, I'll open an issue to track the "PKI orthodoxy" remarks that
> > > Hal had made at the face-to-face, and will link to that issue from
> > > the draft.
> >
> > Thanks,
> > --Tyler
> >
> >
>

Received on Thursday, 11 October 2007 21:08:44 UTC