- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Thu, 11 Oct 2007 17:55:42 -0400
- To: Ian Fette <ifette@google.com>
- CC: "Close, Tyler J." <tyler.close@hp.com>, public-wsc-wg@w3.org
Point taken. But what about certificates that are not attestations? E.g., anything non-EV? serge Ian Fette wrote: > The need to warn comes in around something like googlepages.com > <http://googlepages.com>. Right now, the management is all under > pages.google.com <http://pages.google.com> and we use a SSL cert for > google.com <http://google.com> for login etc. But it is conceivable that > at some point we might actually want to SSL enable > https://www.googlepages.com for login, or who knows what. (This is wild > speculation, I don't work on the project, this is just an example). So > we would then need a cert for googlepages.com <http://googlepages.com>. > But user content is located at username.googlepages.com > <http://username.googlepages.com>, and we really don't want to attest to > anything about the identity of whatever is found at those locations. So > when you try to load https://ifette.googlepages.com under this scenario > (where googlepages.com <http://googlepages.com> is actually ssl enabled > and serving up something), you had better get a warning. > > Subdomains are not *always* controlled (or rather, authored / attested > to) by the owner of the higher-level domain, and it's not always a safe > assumption to make. You can make arguments about www being a special > case, but beyond that... > > -Ian > > On 10/11/07, *Serge Egelman* <egelman@cs.cmu.edu > <mailto:egelman@cs.cmu.edu>> wrote: > > This is an error I'm trying to do some research on, maybe someone can > shed some light on it. There are thousands of legitimate sites that > have this problem, either because they don't use an alt-name, or the > certificate is being used on some other subdomain of their domain. > > In the case where one certificate is being used by another host within > the domain that it was legitimately issued for, I'm not entirely sure > what the threat model is. Sure, this is a great way for CAs to make > money (by either making a site buy a new certificate for every host or > making them buy a wildcard cert), but beyond this, what's the need > to warn? > > Yes, the DNS can be hacked to add in a new hostname, but at that point > there are bigger problems. > > serge > > Ian Fette wrote: > > bankofamerica.com <http://bankofamerica.com> < > http://bankofamerica.com> does not use an alt-name. > > What's the point? (And for those of us who aren't using IE7, I'm > > assuming you just get a common name mismatch error, or what?) if eBay > > uses it, then I think you need to be worried about breaking it. > > > > On 10/11/07, *Close, Tyler J.* <tyler.close@hp.com > <mailto:tyler.close@hp.com> > > <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>>> wrote: > > > > Perhaps there's some way to finesse this part of the algorithm by > > reference to RFC 2818. I'll work on it. > > > > Many sites don't seem to be using this cert feature. For a fun > > example, visit the following URL using IE7. > > > > https://bankofamerica.com/ > > > > --Tyler > > > > > ------------------------------------------------------------------------ > > > *From:* Ian Fette [mailto:ifette@google.com > <mailto:ifette@google.com> > > <mailto:ifette@google.com <mailto:ifette@google.com>>] > > *Sent:* Thursday, October 11, 2007 12:48 PM > > *To:* Close, Tyler J. > > *Cc:* public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> > <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>> > > *Subject:* Re: clarifications needed re safe form editor cert > > matching algorithm > > > > It is in huge use. For example. if you go to > > https://signin.ebay.com and look at the cert - the CN is > > signin.ebay.com <http://signin.ebay.com> > <http://signin.ebay.com> but the certificate > > subject alt name lists: > > > > Not Critical > > DNS Name: signin.cafr.ebay.ca <http://signin.cafr.ebay.ca> > <http://signin.cafr.ebay.ca> > > DNS Name: signin.ebay.ca <http://signin.ebay.ca> > <http://signin.ebay.ca> > > DNS Name: signin.ebay.com.au <http://signin.ebay.com.au> > <http://signin.ebay.com.au <http://signin.ebay.com.au>> > > DNS Name: signin.ebay.com.cn <http://signin.ebay.com.cn> > <http://signin.ebay.com.cn> > > DNS Name: signin.express.ebay.com > <http://signin.express.ebay.com> <http://signin.express.ebay.com> > > DNS Name: signin.half.ebay.com > <http://signin.half.ebay.com> < http://signin.half.ebay.com> > > DNS Name: signin.liveauctions.ebay.com > <http://signin.liveauctions.ebay.com> > > <http://signin.liveauctions.ebay.com > <http://signin.liveauctions.ebay.com>> > > DNS Name: signin.shopping.ebay.com > <http://signin.shopping.ebay.com> <http://signin.shopping.ebay.com> > > DNS Name: signin.tw.ebay.com <http://signin.tw.ebay.com> > <http://signin.tw.ebay.com> > > DNS Name: signin.ebay.com <http://signin.ebay.com> > <http://signin.ebay.com <http://signin.ebay.com>> > > > > and if you go to https://signin.ebay.de you again get a cert > > with CN= signin.ebay.com <http://signin.ebay.com> < > http://signin.ebay.com> but alt names of: > > Not Critical > > DNS Name: signin.befr.ebay.be <http://signin.befr.ebay.be> > <http://signin.befr.ebay.be <http://signin.befr.ebay.be>> > > DNS Name: signin.benl.ebay.be <http://signin.benl.ebay.be> > <http://signin.benl.ebay.be> > > DNS Name: signin.ebay.at <http://signin.ebay.at> > <http://signin.ebay.at> > > DNS Name: signin.ebay.be <http://signin.ebay.be> > <http://signin.ebay.be > > > DNS Name: signin.ebay.co.uk <http://signin.ebay.co.uk> > <http://signin.ebay.co.uk> > > DNS Name: signin.ebay.de <http://signin.ebay.de> > <http://signin.ebay.de> > > DNS Name: signin.ebay.es <http://signin.ebay.es> > <http://signin.ebay.es> > > DNS Name: signin.ebay.fr <http://signin.ebay.fr> > <http://signin.ebay.fr> > > DNS Name: signin.ebay.ie <http://signin.ebay.ie> < > http://signin.ebay.ie> > > DNS Name: signin.ebay.nl <http://signin.ebay.nl> > <http://signin.ebay.nl> > > DNS Name: signin.express.ebay.co.uk > <http://signin.express.ebay.co.uk> > > <http://signin.express.ebay.co.uk> > > DNS Name: signin.ebay.com <http://signin.ebay.com> < > http://signin.ebay.com> > > > > > > So yeah, it's important. > > On 10/11/07, *Close, Tyler J.* <tyler.close@hp.com > <mailto:tyler.close@hp.com> > > <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>>> > wrote: > > > > > > > > > > Thomas Roessler wrote: > > > going through the matching algorithm while folding > it in... > > > > > > - The current language confuses attributes and > fields. I > > suspect > > > that you mean the various attributes of the Subject > > certificate > > > field. Please confirm. > > > > The CN, O, L, ST and C values I refer to are the ones > in the set > > referred to by the Subject field in the end entity > > certificate. Not sure > > how to be any more specific about this in PKIXese. > > > > > - I notice that you have some rules that concern > matching > > the CN > > > attribute, but none concerning > subjectAltName. I'm happy to > > > simply track this point as an issue. > > > > Could you point me to a document covering the semantics of > > subjectAltName? Is it in use in X.509 certs on the Web? > > > > > Also, I'll open an issue to track the "PKI orthodoxy" > > remarks that > > > Hal had made at the face-to-face, and will link to that > > issue from > > > the draft. > > > > Thanks, > > --Tyler > > > > > > > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 11 October 2007 21:56:07 UTC