[SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]

Ralph Holz holz at net.in.tum.de
Wed Nov 9 04:41:28 PST 2011 

Hi,

>> Matthias, you seem to be aware of the domain-scoped whitelisting policy
>> For example, have you tried creating a CSR with a DN with
>> CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the
>> subjectAltNames extension like:
> 
> No, I did not pentest the filter. There is a PKI test instance, e.g. for
> software developmnet, if that also has this filter (I only used it for
> user certs by now) maybe I can play with that one.
> 
> Requesting a cert for twitter.com would be an open violation of our CA
> policy by me - I would rather avoid that :)

Hm, I could have a chat with the guys in charge here, maybe they're
willing to do that...

Ralph

-- 
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/734cc8b3/attachment.sig>

More information about the Observatory mailing list