Since he would have to apply for the cert in person (from what was said earlier) I don't think you can expect him to go braketesting this scheme.<div><br></div><div><br><div class="gmail_quote">On Tue, Nov 8, 2011 at 8:25 PM, Daniel Kahn Gillmor <span dir="ltr"><<a href="mailto:dkg@fifthhorseman.net">dkg@fifthhorseman.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Sat, 05 Nov 2011 16:40:03 +0100, Matthias Hunstock <<a href="mailto:matthias.hunstock@tu-ilmenau.de">matthias.hunstock@tu-ilmenau.de</a>> wrote:<br>
> I am member of one of these LRAs and I can tell you that we can NOT<br>
> issue a cert for <a href="http://twitter.com" target="_blank">twitter.com</a>.<br>
<br>
</div>I'm really glad to hear that DFN policies prevent this in some way!<br>
<br>
Can i ask how you have tested this restriction? I assume that you at<br>
least tried with a CSR that has a DN with CN=<a href="http://twitter.com" target="_blank">twitter.com</a> and had it<br>
rejected. Have you tried anything more sophisticated than that?<br>
<br>
For example, have you tried creating a CSR with a DN with<br>
CN=<a href="http://twitter.com.tu-ilmenau.de" target="_blank">twitter.com.tu-ilmenau.de</a>, and a bunch of entries in the<br>
subjectAltNames extension like:<br>
<br>
DNS:<a href="http://twitter.com.tu-ilmenau.de" target="_blank">twitter.com.tu-ilmenau.de</a>,<br>
DNS:<a href="http://autodiscover.twitter.com.tu-ilmenau.de" target="_blank">autodiscover.twitter.com.tu-ilmenau.de</a>,<br>
DNS:<a href="http://twitter.com" target="_blank">twitter.com</a>,<br>
DNS:autodiscover.twitter.com.local,<br>
DNS:twitter.com.local<br>
<br>
If you're worried about raising red flags by experimenting with a<br>
high-profile domain like <a href="http://twitter.com" target="_blank">twitter.com</a>, you're welcome to try to spoof<br>
<a href="http://danielgillmor.com" target="_blank">danielgillmor.com</a> (a domain i control) instead.<br>
<br>
Regards,<br>
<br>
--dkg<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br><br>
</div>