[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Nov 8 17:25:20 PST 2011
On Sat, 05 Nov 2011 16:40:03 +0100, Matthias Hunstock <matthias.hunstock at tu-ilmenau.de> wrote:
> I am member of one of these LRAs and I can tell you that we can NOT
> issue a cert for twitter.com.
I'm really glad to hear that DFN policies prevent this in some way!
Can i ask how you have tested this restriction? I assume that you at
least tried with a CSR that has a DN with CN=twitter.com and had it
rejected. Have you tried anything more sophisticated than that?
For example, have you tried creating a CSR with a DN with
CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the
subjectAltNames extension like:
DNS:twitter.com.tu-ilmenau.de,
DNS:autodiscover.twitter.com.tu-ilmenau.de,
DNS:twitter.com,
DNS:autodiscover.twitter.com.local,
DNS:twitter.com.local
If you're worried about raising red flags by experimenting with a
high-profile domain like twitter.com, you're welcome to try to spoof
danielgillmor.com (a domain i control) instead.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111108/8cd00779/attachment.sig>
More information about the Observatory
mailing list