IETF Logo Mail Archive

Re: [certid] additional security consideration

Peter Saint-Andre <stpeter@stpeter.im> Wed, 31 March 2010 22:14 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFD833A6AE9 for <certid@core3.amsl.com>; Wed, 31 Mar 2010 15:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.364
X-Spam-Level:
X-Spam-Status: No, score=-1.364 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQCwMM-++WQv for <certid@core3.amsl.com>; Wed, 31 Mar 2010 15:14:34 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id EA2103A6807 for <certid@ietf.org>; Wed, 31 Mar 2010 15:14:32 -0700 (PDT)
Received: from dhcp-64-101-72-158.cisco.com (dhcp-64-101-72-158.cisco.com [64.101.72.158]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id A96F540D3A for <certid@ietf.org>; Wed, 31 Mar 2010 16:15:03 -0600 (MDT)
Message-ID: <4BB3C966.6010003@stpeter.im>
Date: Wed, 31 Mar 2010 16:15:02 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: certid@ietf.org
References: <20100318040731.GA15227@eltex.net> <20100318195037.GA502@redhat.com> <4BA284FC.8060001@stroeder.com>
In-Reply-To: <4BA284FC.8060001@stroeder.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040004040003010805050205"
Subject: Re: [certid] additional security consideration
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 22:14:36 -0000

On 3/18/10 1:54 PM, Michael Ströder wrote:
> Joe Orton wrote:
>> On Thu, Mar 18, 2010 at 07:07:31AM +0300, ArkanoiD wrote:
>>> Second level domain MUST NOT be wildcarded, thus *.com is invalid and should
>>> never match. (as well as "*", of course)
>>
>> I don't think it's appropriate for the draft to specify any requirement 
>> beyond the "left-most label" rule, so far as wildcards go.  I could 
>> imagine a "*.local" or similar could be useful to allow, and *.com is 
>> really little more dangerous than *.co.uk.
> 
> Good point with *.co.uk but I'd draw the opposite conclusion from it:
> I'd rather like to see wildcards forbidden completely or at least strongly
> discouraged.

I would, too. There are significant security concerns with them (related
to phishing attacks and such).

However, some CAs will issue wildcard certs to certificate holders who
are more highly verified (e.g., Class 2 certificates requiring identity
verification of some kind). So I think this is an open issue.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email