[SSL Observatory] wildcarded Domain Names in certs (was: Name constraints: a reasonable idea that hasn't...)
=JeffH
Jeff.Hodges at KingsMountain.com
Fri May 6 14:31:03 PDT 2011
Erwann ABALEA <erwann at abalea.com> responded:
>
> 2011/5/5 Daniel Veditz <dveditz at mozilla.com>:
>>
>> On 4/22/11 4:44 PM, Erwann ABALEA wrote:
>>>
>>> Wildcard certificates were verified with different rules wether
>>> IE/CAPI or FF/NSS was used, if memory serves right; I think
>>> FF/NSS considered that something like "*.domain.com" could match
>>> "very.secure.domain.com", for example, but IE didn't. Lack of
>>> standardization.
>>
>> The wildcard rules are very clearly spelled out in the standards,
>
> Which standard? X.509 doesn't talk about this, RFC2459/3280/5280
> leaves such considerations outside of its scope, RFC2818 covers only
> HTTPS and is of "Informational" level, RFC2595, covers TLS with IMAP
> and POP3. Both RFCs have a definition of wildcard, but not the same.
Yes, every protocol layered over TLS has historically specified its own version
of what some call "name matching" -- the comparison of the domain name with
which the interaction was initiated, and the domain names embedded in the
returned End Entity cert (in the TLS/SSL handshake).
In RFC6125 we informationally reference all such RFCs we could identify (11 of
'em) and include relevant excerpts in appendix B.
> RFC6125's purpose is exactly on identity check,
yes, tho we term it "application service identity" (as denoted by a DNS domain
name). And the hope is that, going forward, protocol specs that intentionally
layer over TLS will reference RFC6125 for their application service identity
name matching, rather than specifying it themselves (in yet a different
permutation).
> and paragraph 7.2
> explains that wildcard is not clearly specified at all. Earlier in
> this document, wildcard usage is not recommenced.
Yes, Sec 7.2 explains that and a bunch more. I've included it below fyi/fwiw..
HTH,
=JeffH
-------
from http://tools.ietf.org/html/rfc6125:
7. Security Considerations
...
7.2. Wildcard Certificates
This document states that the wildcard character '*' SHOULD NOT be
included in presented identifiers but MAY be checked by application
clients (mainly for the sake of backward compatibility with deployed
infrastructure). As a result, the rules provided in this document
are more restrictive than the rules for many existing application
technologies (such as those excerpted under Appendix B). Several
security considerations justify tightening the rules:
o Wildcard certificates automatically vouch for any and all host
names within their domain. This can be convenient for
administrators but also poses the risk of vouching for rogue or
buggy hosts. See for example [Defeating-SSL] (beginning at slide
91) and [HTTPSbytes] (slides 38-40).
o Specifications for existing application technologies are not clear
or consistent about the allowable location of the wildcard
character, such as whether it can be:
* only the complete left-most label (e.g., *.example.com)
* some fragment of the left-most label (e.g., fo*.example.com,
f*o.example.com, or *oo.example.com)
* all or part of a label other than the left-most label (e.g.,
www.*.example.com or www.foo*.example.com)
* all or part of a label that identifies a so-called "public
suffix" (e.g., *.co.uk or *.com)
* included more than once in a given label (e.g.,
f*b*r.example.com
* included as all or part of more than one label (e.g.,
*.*.example.com)
These ambiguities might introduce exploitable differences in
identity checking behavior among client implementations and
necessitate overly complex and inefficient identity checking
algorithms.
o There is no specification that defines how the wildcard character
may be embedded within the A-labels or U-labels [IDNA-DEFS] of an
internationalized domain name [IDNA-PROTO]; as a result,
implementations are strongly discouraged from including or
attempting to check for the wildcard character embedded within the
A-labels or U-labels of an internationalized domain name (e.g.,
"xn--kcry6tjko*.example.org"). Note, however, that a presented
domain name identifier MAY contain the wildcard character as long
as that character occupies the entire left-most label position,
where all of the remaining labels are valid NR-LDH labels,
A-labels, or U-labels (e.g., "*.xn--kcry6tjko.example.org").
Notwithstanding the foregoing security considerations, specifications
that reuse this one can legitimately encourage continued support for
the wildcard character if they have good reasons to do so, such as
backward compatibility with deployed infrastructure (see, for
example, [EV-CERTS]).
---
end
More information about the Observatory
mailing list