IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Martin Rex <mrex@sap.com> Wed, 13 October 2010 04:49 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FB5F3A67AF for <certid@core3.amsl.com>; Tue, 12 Oct 2010 21:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.889
X-Spam-Level:
X-Spam-Status: No, score=-9.889 tagged_above=-999 required=5 tests=[AWL=0.360, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYAqDfWgr0x8 for <certid@core3.amsl.com>; Tue, 12 Oct 2010 21:49:36 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 203E93A6B37 for <certid@ietf.org>; Tue, 12 Oct 2010 21:49:35 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o9D4onmN029692 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 13 Oct 2010 06:50:49 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201010130450.o9D4omeE024689@fs4113.wdf.sap.corp>
To: matt@mattmccutchen.net (Matt McCutchen)
Date: Wed, 13 Oct 2010 06:50:48 +0200 (MEST)
In-Reply-To: <1286927514.1979.13.camel@mattlaptop2.local> from "Matt McCutchen" at Oct 12, 10 07:51:54 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 04:49:40 -0000

Matt McCutchen wrote:
> 
> On Wed, 2010-10-13 at 01:34 +0200, Martin Rex wrote:
> > I consider the conservative approach of MSIE/SChannel and Firefox to
> > allow a tail wildcard on the leftmost DNS label, in addition to a
> > full wildcard, sensitive risk management combined with minimal complexity.
> 
> As I said before, I don't think this "risk management" argument is real.

The rist management argument is VERY real.

Recall the numbers:
:
: http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/
: 
: - 382860 total sites (hostnames) returned a cert
: - 94438 of total sites used a wildcard cert (24%)
: - 5% of total sites use the wildcard cert with CN=*.blogger.com
:    ... other blogging/mass-hosting sites similarly high usage
: 
: Only a handful (5) use the "f*.example.com" form; all those were certs 
: issued by the GoDaddy and starfieldtech.com CAs.


Full wildcard certs are dangerous, because they will match any host
in a domain (which makes them a much more interesting target for
credential-stealing).

I assume that a non-negligible of those servers that are currently using
full wildcards could be using tail-match wildcards instead -- something
which could reduce the risk for some of the other servers in a domain.

The reason why tail-wildcards are rarely used is probably not that server
operators do not like them or browsers would not support them,
but that there are currently not enough CAs offering them.

Now instead of killing something which would help the risk managment
of server operaters, server-id-check should describe tail-wildcards
on the leftmost DNS label as an alternative to full wildcards as a MAY.


-Martin

v2.8.7 | Report a Bug | By Email