[certid] open issue: wildcard certs
Peter Saint-Andre <stpeter@stpeter.im> Fri, 09 April 2010 16:55 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 56B023A68AC for <certid@core3.amsl.com>;
Fri, 9 Apr 2010 09:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.322
X-Spam-Level:
X-Spam-Status: No, score=-2.322 tagged_above=-999 required=5 tests=[AWL=0.277,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5Ao0V+OElSh for
<certid@core3.amsl.com>; Fri, 9 Apr 2010 09:55:39 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 31EE03A6452 for <certid@ietf.org>;
Fri, 9 Apr 2010 09:55:39 -0700 (PDT)
Received: from dhcp-64-101-72-158.cisco.com (dhcp-64-101-72-158.cisco.com
[64.101.72.158]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with
ESMTPSA id 58A4140E15 for <certid@ietf.org>;
Fri, 9 Apr 2010 10:55:35 -0600 (MDT)
Message-ID: <4BBF5C06.8030505@stpeter.im>
Date: Fri, 09 Apr 2010 10:55:34 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <20100318040731.GA15227@eltex.net> <20100318195037.GA502@redhat.com> <4BA284FC.8060001@stroeder.com>
<4BB3C966.6010003@stpeter.im>
In-Reply-To: <4BB3C966.6010003@stpeter.im>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms070908070903030301010207"
Subject: [certid] open issue: wildcard certs
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 16:55:40 -0000
Regarding wildcard certs, we had the following exchange... On 3/31/10 4:15 PM, Peter Saint-Andre wrote: > On 3/18/10 1:54 PM, Michael Ströder wrote: >> Joe Orton wrote: >>> On Thu, Mar 18, 2010 at 07:07:31AM +0300, ArkanoiD wrote: >>>> Second level domain MUST NOT be wildcarded, thus *.com is invalid and should >>>> never match. (as well as "*", of course) >>> >>> I don't think it's appropriate for the draft to specify any requirement >>> beyond the "left-most label" rule, so far as wildcards go. I could >>> imagine a "*.local" or similar could be useful to allow, and *.com is >>> really little more dangerous than *.co.uk. >> >> Good point with *.co.uk but I'd draw the opposite conclusion from it: >> I'd rather like to see wildcards forbidden completely or at least strongly >> discouraged. > > I would, too. There are significant security concerns with them (related > to phishing attacks and such). > > However, some CAs will issue wildcard certs to certificate holders who > are more highly verified (e.g., Class 2 certificates requiring identity > verification of some kind). So I think this is an open issue. This issue is still open. :) The general approach I would take is to say this: 1. If the wildcard character is included in a cert, it MUST be the entire left-most domain label (per IESG position). 2. A certification authority SHOULD NOT include the wildcard character in certificates unless it has appropriate safeguards, strong identity checking, or high trust in the recipient (e.g., "Class 2" or "Class 3" certificates -- speaking of which, are these terms defined anywhere?). 3. We need to clearly document the security problems with wildcard certs so that CAs can intelligently decide whether to issue them. Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] additional security consideration ArkanoiD
- Re: [certid] additional security consideration Peter Saint-Andre
- Re: [certid] additional security consideration Joe Orton
- Re: [certid] additional security consideration Michael Ströder
- Re: [certid] additional security consideration Joe Orton
- Re: [certid] additional security consideration Michael Ströder
- Re: [certid] additional security consideration Peter Saint-Andre
- [certid] open issue: wildcard certs Peter Saint-Andre
- Re: [certid] open issue: wildcard certs ArkanoiD