- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Fri, 7 Nov 2008 16:19:05 -0500
- To: "Thomas Roessler <tlr" <tlr@w3.org>
- Cc: WSC WG <public-wsc-wg@w3.org>
- Message-ID: <OF735F91CB.221C0048-ON852574FA.006FC814-852574FA.00701E4A@LocalDomain>
I'm taking lack of discussion as consensus on the item for the security considerations text. Anil, I'll create an editorial action for this. For the rest, it seems a bit vague to declare anything. Mez From: Thomas Roessler <tlr@w3.org> To: WSC WG <public-wsc-wg@w3.org> Date: 10/06/2008 08:33 AM Subject: ACTION-520: Security considerations for wildcards (ISSUE-216) Sent by: public-wsc-wg-request@w3.org I propose to add the following security considerations text: >>>>> <head>Deriving human-readable information from domain-validated certificates</head> <p>For domain validated certificates, none of the ordinary human- readable information provided in a certificate is actually attested to; instead, a binding between public key a domain name (or wildcard) is created. Therefore, <specref ref="signal-content"/> provides that, as a fall-back of last resort, a domain name retrieved from the subject's subjectAltName extension, or from the Common Name attribute, should be displayed.</p> <p>This specification does not suggest displaying the domain name used in the source URI, since that domain name may be under the control of an attacker. We consider it less risky to display a string like "*.example.com", than "bigbank.example.com" when the binding that was attested is one to "*.example.com".</p> <<<<< I believe that, additionally, there should be a change in 6.1.1 that gives subjectAltName precedence over Common Name; I don't see a specific action item to make that change. Also, writing this text, it occurs to me that we nowhere say that a domain name should always be shortened from the left, never from the right. I suspect that the identity signal content section might be usefully hold that piece of advice. Thoughts anybody? Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Saturday, 8 November 2008 15:40:04 UTC