IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Matt McCutchen <matt@mattmccutchen.net> Tue, 12 October 2010 23:50 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D59DD3A6856 for <certid@core3.amsl.com>; Tue, 12 Oct 2010 16:50:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ztWF3pk1CUC for <certid@core3.amsl.com>; Tue, 12 Oct 2010 16:50:40 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by core3.amsl.com (Postfix) with ESMTP id A5FEB3A6860 for <certid@ietf.org>; Tue, 12 Oct 2010 16:50:40 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTP id D402910AFAD; Tue, 12 Oct 2010 16:51:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=s9xY4fZbkNpgW/Mtct29n8bf+1sqpki2XeDYa1uhOjp VQ6keEmG8lBJO3dYOxaRp35aIHL4LHAf4044y0cHRMsP/rWoK4R49YVPPs4j3r+7 HWLBEk+XE358Cl1pjN3EAV5eDt5W8IhoQ7oNicUW3jc4HhSQpSm329iHII4fmmL8 =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=3atTfC7zudcX/9GuJzTspoXnSqI=; b=FFZOZs2h6j PSQiocAs3sRAfrCPdVbqAO0X0MRI3Z8TS0lat0DPhG0Dq9puW/UF7niLtHBgRVnn FY5Rz88WFW2SsHqiXNoJx7ycjoDlhbpFqeL2igxSF16godcE42KQy1QTW8j9UtiB jOUuVq19ytNVkv9bc7Z4PCwnvI7IrOv28=
Received: from [129.2.249.209] (ml2.student.umd.edu [129.2.249.209]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTPA id 6085F10AFA5; Tue, 12 Oct 2010 16:51:55 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: mrex@sap.com
In-Reply-To: <201010122334.o9CNYLVL008766@fs4113.wdf.sap.corp>
References: <201010122334.o9CNYLVL008766@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 12 Oct 2010 19:51:54 -0400
Message-ID: <1286927514.1979.13.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2010 23:50:43 -0000

On Wed, 2010-10-13 at 01:34 +0200, Martin Rex wrote:
> I consider the conservative approach of MSIE/SChannel and Firefox to
> allow a tail wildcard on the leftmost DNS label, in addition to a
> full wildcard, sensitive risk management combined with minimal complexity.

As I said before, I don't think this "risk management" argument is real.
CAs are responsible for not giving an entity a certificate that matches
names the entity does not own.  Why should we believe they are any more
likely to mess up via wildcards than, e.g., by setting the basic
constraint "CA: true"?

-- 
Matt

v2.8.7 | Report a Bug | By Email