Re: ACTION-520: Security considerations for wildcards (ISSUE-216)

Sorry, this fell down in my inbox. I don't agree with this and do not agree
to consensus. I think that if a person has a wildcard cert for
*.example.comand they are connected to
a.example.com we should show a.example.com as I don't think that * is
actually meaningful for a user. E.g. if I say "*.ebay.com: the identity of a
website has been verified by XYZ" a user may wonder what the heck is going
on because they're connected to signin.ebay.com. This may cause more
confusion than it's worth.
Yes, someone could get a wildcard cert for evil.com and then register
bankofamerica.evil.com, and the display would then say
bankofamerica.evil.com, but hopefully someone advanced enough to actually
find where this information is displayed (as it's in secondary chrome for
all browsers I'm aware of) are also advanced enough to read the whole host.

-Ian

On Mon, Nov 10, 2008 at 12:23 PM, Joe Steele <steele@adobe.com> wrote:

>
> I did have one question regarding the precedence of subjectAltName over
> commonName. What is the argument for this?
>
> I have seen certificates where the subjectAltName was used for a Unicode
> version of the commonName and I have seen cases where it is used for a URI
> where more information (about the subject) can be retrieved. For the first
> case precedence seems appropriate, but in the second it does not. Are we
> pretty confident that the second case is rare? I admit that I have not seen
> this in SSL certificates, only those used for authentication and digital
> signatures.
>
> Joe
>
> On 11/7/08 1:19 PM, "Mary Ellen Zurko" <mzurko@us.ibm.com> wrote:
>
>
> I'm taking lack of discussion as consensus on the item for the security
> considerations text. Anil, I'll create an editorial action for this.
>
> For the rest, it seems a bit vague to declare anything.
>
>         Mez
>
>
>
>
> From:Thomas Roessler <tlr@w3.org>
> To:WSC WG <public-wsc-wg@w3.org>
> Date:10/06/2008 08:33 AM
> Subject:ACTION-520: Security considerations for wildcards (ISSUE-216)
> Sent by:public-wsc-wg-request@w3.org <by%3Apublic-wsc-wg-request@w3.org>
> ________________________________
>
>
>
>
> I propose to add the following security considerations text:
>
>  >>>>>
> <head>Deriving human-readable information from domain-validated
> certificates</head>
>
> <p>For domain validated certificates, none of the ordinary human-
> readable information provided in a certificate is actually attested
> to; instead, a binding between public key a domain name (or wildcard)
> is created.  Therefore, <specref ref="signal-content"/> provides that,
> as a fall-back of last resort, a domain name retrieved from the
> subject's subjectAltName extension, or from the Common Name attribute,
> should be displayed.</p>
>
> <p>This specification does not suggest displaying the domain name used
> in the source URI, since that domain name may be under the control of
> an attacker.  We consider it less risky to display a string like
> "*.example.com", than "bigbank.example.com" when the binding that was
> attested is one to "*.example.com".</p>
> <<<<<
>
> I believe that, additionally, there should be a change in 6.1.1 that
> gives subjectAltName precedence over Common Name; I don't see a
> specific action item to make that change.
>
> Also, writing this text, it occurs to me that we nowhere say that a
> domain name should always be shortened from the left, never from the
> right.  I suspect that the identity signal content section might be
> usefully hold that piece of advice.
>
> Thoughts anybody?
>
> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Received on Monday, 10 November 2008 21:40:57 UTC