[certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 19 October 2010 00:08 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id D7ACC3A6BC4 for <certid@core3.amsl.com>;
Mon, 18 Oct 2010 17:08:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.092
X-Spam-Level:
X-Spam-Status: No,
score=-101.092 tagged_above=-999 required=5 tests=[AWL=-0.861, BAYES_00=-2.599,
IP_NOT_FRIENDLY=0.334, SARE_URI_EQUALS=1.666, URI_HEX=0.368,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMRoePYjXAk3 for
<certid@core3.amsl.com>; Mon, 18 Oct 2010 17:08:18 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com
[67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id E03893A6A93 for
<certid@ietf.org>; Mon, 18 Oct 2010 17:08:17 -0700 (PDT)
Received: (qmail 18577 invoked by uid 0); 19 Oct 2010 00:09:47 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy2.bluehost.com with SMTP; 19 Oct 2010 00:09:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=fmc4+1zgm+KGmTeWdK5OMFcBwSRNRGiAqb818BnvwBuCvqS7KgXibfnuJoLn9ala2yCs2Ocf1kUthmhJ12X2c7JNRtTlXuA2/WBA3sH6kGhwsnPiiEQ9kfJLOd4V0Z0H;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.179]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1P7zlz-0004Yn-6y for
certid@ietf.org; Mon, 18 Oct 2010 18:09:47 -0600
Message-ID: <4CBCE1C9.3090104@KingsMountain.com>
Date: Mon, 18 Oct 2010 17:09:45 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2010 00:08:20 -0000
So, I got a couple of bug reports on my original msg in this thread (thanks!). It turns out (a) my regex was sorta broken, and (b) the subjectCommonName column Ivan has in the dbase table has all the "CN" attr values smooshed into it. So the certs with a subject with just one CN attr-value-assertion (AVA) will (likely) have a reasonable-looking value (but not necessarily a domain name) in the subjectCommonName column, but a subject with multiple CN AVAs will have an odd-looking value in subjectCommonName (like the ones I included in my orig msg). Now, as Martin pointed out, the ones that look like this.. www.cebbank.com+2.5.4.5=#130f313030303030303030303131373438 ..seem to be an RDName that's comprised of two AVAs, and in the/this DN string representation, they're conjoined by a "+" char. And yes, as Matt noted, it seems there's a bug in the parser used for the survey where it apparently assumed that an RDN beginning with a "CN=" contains only a CN AVA. Also, upon examining subject names more closely, it appears it properly parsed RDNs where the CN AVA appears after the first AVA in the RDN. E.g... 2.5.4.5=#13083431343038353030+CN=secure.capis.com ..yielded "secure.capis.com" in the subjectCommonName column, surprisingly enough. So, anyway, yes, there are subject name with CN AVAs that have values /other than/ dns domain names. Sometimes the cert has both natural-language CN values (i.e. one or more) along with domain name values, sometimes just natural-language values, but largely the CN values in the overall data are domain name values. With a new regex, I count 622 cert entries with at least one natural-language CN value (they may also have CN values containing domain name-like constructs). e.g... CN=USMOTIVATION CN=MONARCH MARKETING SERVICES (MONARCH GRAPHICS, INC) CN=NORTH CAROLINA INFORMATION DATA, INC. I hear tell that the regex-like esatz CN-ID values, e.g... (www|zeus).asap-solution.com ..are due to at least one browser supporting (but no more?) such constructs. =JeffH
- [certid] weird CN-IDs (subjectCommonName) in SSL … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … Martin Rex
- Re: [certid] weird CN-IDs (subjectCommonName) in … Matt McCutchen
- [certid] weird CN-IDs (subjectCommonName) in SSL … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … Rob Stradling