RE: clarifications needed re safe form editor cert matching algorithm

Ian, I said I was going to investigate and make a proposal. It's not my
intent to break the eBay site because they use a certificate feature
that BofA does not. I'd hope that much would be obvious.
 
I was asking about the prevalence of the alt names to get an idea of how
much we can rely on that feature. For example, if, hypothetically, alt
names were widespread, they might provide a better matching algorithm
than step 4 of the algorithm I am currently proposing.
 
I suggest you get setup with a copy of IE7 in order to better
participate in this WG. Last I checked, IE had significant share in the
market we're looking to set standards in.
 
Not having so much fun now. Ah well.
 
--Tyler


________________________________

	From: Ian Fette [mailto:ifette@google.com] 
	Sent: Thursday, October 11, 2007 2:08 PM
	To: Close, Tyler J.
	Cc: public-wsc-wg@w3.org
	Subject: Re: clarifications needed re safe form editor cert
matching algorithm
	
	
	bankofamerica.com does not use an alt-name. What's the point?
(And for those of us who aren't using IE7, I'm assuming you just get a
common name mismatch error, or what?) if eBay uses it, then I think you
need to be worried about breaking it. 
	
	
	On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote: 

		Perhaps there's some way to finesse this part of the
algorithm by reference to RFC 2818. I'll work on it.
		 
		Many sites don't seem to be using this cert feature. For
a fun example, visit the following URL using IE7.
		 
		https://bankofamerica.com/ 
		 
		--Tyler


________________________________

			From: Ian Fette [mailto:ifette@google.com] 
			Sent: Thursday, October 11, 2007 12:48 PM
			To: Close, Tyler J.
			Cc: public-wsc-wg@w3.org
			Subject: Re: clarifications needed re safe form
editor cert matching algorithm
			
			
			
			It is in huge use. For example. if you go to
https://signin.ebay.com and look at the cert - the CN is signin.ebay.com
but the certificate subject alt name lists: 
			
			Not Critical
			DNS Name: signin.cafr.ebay.ca
			DNS Name: signin.ebay.ca
			DNS Name: signin.ebay.com.au 
			DNS Name: signin.ebay.com.cn
			DNS Name: signin.express.ebay.com
			DNS Name: signin.half.ebay.com 
			DNS Name: signin.liveauctions.ebay.com
			DNS Name: signin.shopping.ebay.com
			DNS Name: signin.tw.ebay.com
			DNS Name: signin.ebay.com
			
			and if you go to https://signin.ebay.de you
again get a cert with CN= signin.ebay.com <http://signin.ebay.com>  but
alt names of: 
			Not Critical
			DNS Name: signin.befr.ebay.be
			DNS Name: signin.benl.ebay.be
			DNS Name: signin.ebay.at
			DNS Name: signin.ebay.be
			DNS Name: signin.ebay.co.uk
			DNS Name: signin.ebay.de
			DNS Name: signin.ebay.es
			DNS Name: signin.ebay.fr
			DNS Name: signin.ebay.ie
			DNS Name: signin.ebay.nl
			DNS Name: signin.express.ebay.co.uk
			DNS Name: signin.ebay.com
			
			
			So yeah, it's important.
			
			On 10/11/07, Close, Tyler J.
<tyler.close@hp.com> wrote: 




				Thomas Roessler wrote:
				> going through the matching algorithm
while folding it in...
				>
				> - The current language confuses
attributes and fields.  I suspect
				>   that you mean the various attributes
of the Subject certificate 
				>   field.  Please confirm.
				
				The CN, O, L, ST and C values I refer to
are the ones in the set
				referred to by the Subject field in the
end entity certificate. Not sure
				how to be any more specific about this
in PKIXese. 
				
				> - I notice that you have some rules
that concern matching the CN
				>   attribute, but none concerning
subjectAltName.  I'm happy to
				>   simply track this point as an issue.
				
				Could you point me to a document
covering the semantics of 
				subjectAltName? Is it in use in X.509
certs on the Web?
				
				> Also, I'll open an issue to track the
"PKI orthodoxy" remarks that
				> Hal had made at the face-to-face, and
will link to that issue from 
				> the draft.
				
				Thanks,
				--Tyler
				
				

Received on Thursday, 11 October 2007 21:30:17 UTC