[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

Phillip Hallam-Baker hallam at gmail.com
Tue Nov 8 18:33:12 PST 2011


Since he would have to apply for the cert in person (from what was said
earlier) I don't think you can expect him to go braketesting this scheme.


On Tue, Nov 8, 2011 at 8:25 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net>wrote:

> On Sat, 05 Nov 2011 16:40:03 +0100, Matthias Hunstock <
> matthias.hunstock at tu-ilmenau.de> wrote:
> > I am member of one of these LRAs and I can tell you that we can NOT
> > issue a cert for twitter.com.
>
> I'm really glad to hear that DFN policies prevent this in some way!
>
> Can i ask how you have tested this restriction?  I assume that you at
> least tried with a CSR that has a DN with CN=twitter.com and had it
> rejected.  Have you tried anything more sophisticated than that?
>
> For example, have you tried creating a CSR with a DN with
> CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the
> subjectAltNames extension like:
>
>  DNS:twitter.com.tu-ilmenau.de,
>  DNS:autodiscover.twitter.com.tu-ilmenau.de,
>  DNS:twitter.com,
>  DNS:autodiscover.twitter.com.local,
>  DNS:twitter.com.local
>
> If you're worried about raising red flags by experimenting with a
> high-profile domain like twitter.com, you're welcome to try to spoof
> danielgillmor.com (a domain i control) instead.
>
> Regards,
>
>       --dkg
>



-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111108/5e000712/attachment.html>


More information about the Observatory mailing list