[SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Nov 8 17:03:15 PST 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
On Tue, 8 Nov 2011 02:19:32 -0800, Peter Eckersley <pde at eff.org> wrote:
> I was able to get information about the end entities signed by DFN's sub-CAs
[...]
> +--------------------------------------------------------+-------+
> | tld | c |
> +--------------------------------------------------------+-------+
[...]
> | local | 20 |
.local (the suffix not in the public root servers, but widely used for
link-local names by MDNS-SD [0]) just jumped out at me
here.
The other stuff might have problems (i haven't checked), but certifying
names with .local seems bizarre to me. Can someone explain why DFN
would legitmately put the .local suffix into a domain-scoped whitelist
for a subordinate CA?
I just fetched the observatory database to have a look at some of these.
mail.leibniz-gemeinschaft.de is one example. its X.509 certificate
has the following chain which appears to validate:
---
Certificate chain
0 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=webmail-berlin.leibniz-gemeinschaft.de
i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein CA Services
1 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein CA Services
i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
---
and the subjectAltName field does in fact contain several names in the
.local zone:
X509v3 Subject Alternative Name:
DNS:autodiscover.evaluation-leibniz.de,
DNS:autodiscover.evaluierung-leibniz.de,
DNS:autodiscover.leibniz-association.eu,
DNS:autodiscover.leibniz-gemeinschaft.de,
DNS:autodiscover.leibniz-gemeinschaft.eu,
DNS:autodiscover.leibniz.local,
DNS:autodiscover.leibnizx.de,
DNS:autodiscover.wgl.de,
DNS:de-be-lbz-dcex1,
DNS:de-be-lbz-dcex1.leibniz.local,
DNS:de-be-lbz-exca1,
DNS:de-be-lbz-exca1.leibniz.local,
DNS:evaluation-leibniz.de,
DNS:evaluierung-leibniz.de,
DNS:leibniz-association.eu,
DNS:leibniz-gemeinschaft.de,
DNS:leibniz-gemeinschaft.eu,
DNS:leibniz.local,
DNS:leibnizx.de,
DNS:mail.leibniz-gemeinschaft.de,
DNS:webmail-berlin.leibniz-gemeinschaft.de,
DNS:webmail.leibniz-gemeinschaft.de, DNS:wgl.de
Note the inclusion of leibniz.local, which bet is in use via MDNS-SD on
more than one of the network segments of the people who read this list,
due to the popularity of "Dead Philosophers" as a computer naming
scheme.
Matthias, you seem to be aware of the domain-scoped whitelisting policy
by DFN. Do you know how .local fits in those policies?
Regards,
--dkg
[0] https://secure.wikimedia.org/wikipedia/en/wiki/.local
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111108/1f460819/attachment.sig>
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list