[SSL Observatory] Name constraints: a reasonable idea that hasn't panned out in practice

Chris Palmer chris at eff.org
Fri Apr 22 15:00:36 PDT 2011 

[ Jesse Burns told me about the observations I describe in this email, so credit him for the wisdom. Of course, if I describe the situation incorrectly, that is on me, not him. :) After hooting about this on Twitter with Adam Langley and Zooko, Jeff H. suggested I post here. Here goes! ]

Name constraints would be a nice thing to have, right? It would reduce the ability of a (say) Swedish CA to sign a certificate for (say) encrypted.google.com.

http://www.ietf.org/rfc/rfc2459.txt

"""
4.2.1.11  Name Constraints

   The name constraints extension, which MUST be used only in a CA
   certificate, indicates a name space within which all subject names in
   subsequent certificates in a certification path shall be located.
   Restrictions may apply to the subject distinguished name or subject
   alternative names.  Restrictions apply only when the specified name
   form is present. If no name of the type is in the certificate, the
   certificate is acceptable.

   Restrictions are defined in terms of permitted or excluded name
   subtrees.  Any name matching a restriction in the excludedSubtrees
   field is invalid regardless of information appearing in the
   permittedSubtrees.  This extension MUST be critical.

...
"""

mysql> select `X509v3 extensions:X509v3 Name Constraints` from valid_certs where `X509v3 extensions:X509v3 Name Constraints` is not null \G
*************************** 1. row ***************************
X509v3 extensions:X509v3 Name Constraints: Permitted:othername===<unsupported> ANDALSO Permitted:email===@tcs.ch ANDALSO Permitted:email===.tcs.ch ANDALSO Permitted:DNS===.tcs.ch ANDALSO Permitted:DirName=== DC = ch, DC = tcsgroup ANDALSO Permitted:DirName=== C = CH, DC = ch, DC = tcsgroup ANDALSO Permitted:DirName=== C = CH, ST = Geneva, L = Vernier, O = Touring Club Suisse (TCS) ANDALSO Permitted:DirName=== C = CH, O = Touring Club Suisse (TCS) ANDALSO Permitted:DirName=== O = Touring Club Suisse (TCS) ANDALSO Permitted:URI=== ANDALSO Permitted:IP===IP Address:<invalid>
*************************** 2. row ***************************
X509v3 extensions:X509v3 Name Constraints: Permitted:othername===<unsupported> ANDALSO Permitted:email===@icc-cpi.int ANDALSO Permitted:email===.icc-cpi.int ANDALSO Permitted:email===@icc.int ANDALSO Permitted:email===.icc.int ANDALSO Permitted:DNS===.icc-cpi.int ANDALSO Permitted:DNS===.icc.int ANDALSO Permitted:DirName=== DC = INT, DC = ICC ANDALSO Permitted:DirName=== C = NL, DC = INT, DC = ICC ANDALSO Permitted:DirName=== C = NL, ST = Zuid-Holland, L = The Hague, O = ICC-CPI ANDALSO Permitted:DirName=== C = NL, O = ICC-CPI ANDALSO Permitted:DirName=== O = ICC-CPI ANDALSO Permitted:URI=== ANDALSO Permitted:IP===IP Address:<invalid>
2 rows in set (0.00 sec)

Note that the fields are NOT marked critical, as they should be. Compare, for example:

mysql> select `X509v3 extensions:X509v3 Subject Alternative Name` from valid_certs where `X509v3 extensions:X509v3 Subject Alternative Name` like '%(critical)%' limit 10 \G
...
*************************** 9. row ***************************
X509v3 extensions:X509v3 Subject Alternative Name: (critical) DNS===sip.microsoft.com, DNS:sipalt.microsoft.com, DNS:sipfed.microsoft.com
*************************** 10. row ***************************
X509v3 extensions:X509v3 Subject Alternative Name: (critical) DNS===sip.microsoft.com, DNS:sipalt.microsoft.com, DNS:sipx.microsoft.com, DNS:sipfed.microsoft.com, DNS:web00.ocsweb.microsoft.com
10 rows in set (0.22 sec)


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code

More information about the Observatory mailing list