[SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]

Matthias Hunstock matthias.hunstock at tu-ilmenau.de
Wed Nov 9 03:28:57 PST 2011


Am 09.11.2011 02:03, schrieb Daniel Kahn Gillmor:

> Matthias, you seem to be aware of the domain-scoped whitelisting policy
> by DFN.  Do you know how .local fits in those policies?

It's very simple. The domain whitelist was introduced some time ago
(about 1.5 years ago I think), the "bad" certs you have in your data
should be older than that.

> For example, have you tried creating a CSR with a DN with
> CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the
> subjectAltNames extension like:

No, I did not pentest the filter. There is a PKI test instance, e.g. for
software developmnet, if that also has this filter (I only used it for
user certs by now) maybe I can play with that one.

Requesting a cert for twitter.com would be an open violation of our CA
policy by me - I would rather avoid that :)

greets

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/bf897f55/attachment.sig>


More information about the Observatory mailing list