[SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Nov 9 07:06:49 PST 2011


On Wed, 09 Nov 2011 12:28:57 +0100, Matthias Hunstock <matthias.hunstock at tu-ilmenau.de> wrote:
> Am 09.11.2011 02:03, schrieb Daniel Kahn Gillmor:
> 
> > Matthias, you seem to be aware of the domain-scoped whitelisting policy
> > by DFN.  Do you know how .local fits in those policies?
> 
> It's very simple. The domain whitelist was introduced some time ago
> (about 1.5 years ago I think), the "bad" certs you have in your data
> should be older than that.

0 dkg at pip:~$ echo | openssl s_client -connect mail.leibniz-gemeinschaft.de:443 2>/dev/null | openssl x509 -text -noout | grep -A3 Valid
        Validity
            Not Before: Nov 24 16:37:09 2009 GMT
            Not After : Nov 23 16:37:09 2014 GMT
        Subject: C=DE, O=DFN-Verein, OU=DFN-PKI, CN=webmail-berlin.leibniz-gemeinschaft.de
0 dkg at pip:~$ 

Hmm, that's certainly the case for the one i was looking at.  So we're
about 2 years into a 5-year certificate lifetime that doesn't meet valid
domain whitelist constraints.

This isn't exactly comforting information, unfortunately :/

> No, I did not pentest the filter. There is a PKI test instance, e.g. for
> software developmnet, if that also has this filter (I only used it for
> user certs by now) maybe I can play with that one.

That'd be an interesting data point.

> Requesting a cert for twitter.com would be an open violation of our CA
> policy by me - I would rather avoid that :)

Understood. :) What about pentesting with a domain that the owner is
willing to let you try to forge?

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/4176735c/attachment.sig>


More information about the Observatory mailing list