[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Peter Eckersley
pde at eff.org
Tue Nov 8 02:19:32 PST 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
On Sat, Nov 05, 2011 at 07:36:34PM +0100, Matthias Hunstock wrote:
> Hi,
>
> Am 05.11.2011 19:24, schrieb Peter Eckersley:
>
> > What constraints apply to you? What can you issue a cert for?
>
> the cert requests are checked against a whitelist which exist separately for
> each RA. Certs are only issued if CN and all SANs are FQDNs and match a
> domain suffix on the whitelist.
>
> Though this whitelist can be managed by the RA staff, additions to the
> whitelist have to be manually approved by the people from DFN. Until they
> are approved it is not possible to issue certs for the just-added domain
> suffixes. I guess for approval they check whois-data. No matter what,
> nothing passes this unseen. The list keeps second level domains, I think
> noone tried to add ac.uk or com.br until now :)
The most important part of all of this is that there is a whitelist of DNS
subspaces that is manually maintained by DFN for each of these sub-CAs. That
is sound operational practice (and very good news if anyone can confirm that
these have been enforced practices for most/all of DFN's children since the
beginning). I don't think it changes the fact that these are 200 CAs, but it
does mean that they are 200 CAs with strong effective name constraints, and
that means much less marginal security risk.
>
> Nearly all CAs/RAs under DFN have very, very few domains for which they
> issue certificates, so this extreme restrictive policy is no problem for
> the daily business.
I was able to get information about the end entities signed by DFN's sub-CAs with
an Observatory query like this:
SELECT SUBSTRING_INDEX(name,".",-1) as tld, count(*) as c
FROM names
JOIN valid_certs AS children
ON names.certid=children.certid
JOIN valid_certs AS parents
ON children.`X509v3 extensions:X509v3 Authority Key Identifier:keyid`=parents.`X509v3 extensions:X509v3 Subject Key Identifier`
WHERE LOCATE("dfn-verein",parents.issuer)
GROUP BY tld
ORDER BY c desc;
+--------------------------------------------------------+-------+
| tld | c |
+--------------------------------------------------------+-------+
| de | 10215 |
| edu | 382 |
| org | 153 |
| eu | 86 |
| com | 49 |
| net | 46 |
| local | 20 |
| info | 16 |
| | 12 |
| webmail | 7 |
| intern | 6 |
| it | 6 |
| www | 5 |
| nl | 5 |
| gate | 3 |
(and another 163 rows of mostly-unqualified domain names)
Perhaps with a fancier query we could confirm that these name constrains are
largely in operation under .de as well.
> The big mass of cers are user certs anyway, but EFF
> doesn't look on that part :)
>
> Greets
> M.Hunstock
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list