[SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]

Wed Nov 9 07:20:14 PST 2011

Is this an issue that we should address in CAA?

At the moment twitter.com can say 'only issue certs for me if you are my
authorized CA'.

Do we want to go further there? Can we?

Should the owner of example.com be able to state 'hey I am a very sensitive
domain, you should hotlist me?'

This issue is easy to spot when we are talking about twitter.com. Much
harder when we are talking about xn--wi99ciwisk.cn

I am not sure that owning example.com should allow someone to establish a
prohibition issue of certs to example.com.**.com. But it might be something
that public CAs should maybe throw up a manual processing flag for.

On Wed, Nov 9, 2011 at 10:06 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net>wrote:

> On Wed, 09 Nov 2011 12:28:57 +0100, Matthias Hunstock <
> matthias.hunstock at tu-ilmenau.de> wrote:
> > Am 09.11.2011 02:03, schrieb Daniel Kahn Gillmor:
> >
> > > Matthias, you seem to be aware of the domain-scoped whitelisting policy
> > > by DFN.  Do you know how .local fits in those policies?
> >
> > It's very simple. The domain whitelist was introduced some time ago
> > (about 1.5 years ago I think), the "bad" certs you have in your data
> > should be older than that.
>
> 0 dkg at pip:~$ echo | openssl s_client -connect
> mail.leibniz-gemeinschaft.de:443 2>/dev/null | openssl x509 -text -noout
> | grep -A3 Valid
>        Validity
>            Not Before: Nov 24 16:37:09 2009 GMT
>            Not After : Nov 23 16:37:09 2014 GMT
>        Subject: C=DE, O=DFN-Verein, OU=DFN-PKI, CN=
> webmail-berlin.leibniz-gemeinschaft.de
> 0 dkg at pip:~$
>
> Hmm, that's certainly the case for the one i was looking at.  So we're
> about 2 years into a 5-year certificate lifetime that doesn't meet valid
> domain whitelist constraints.
>
> This isn't exactly comforting information, unfortunately :/
>
> > No, I did not pentest the filter. There is a PKI test instance, e.g. for
> > software developmnet, if that also has this filter (I only used it for
> > user certs by now) maybe I can play with that one.
>
> That'd be an interesting data point.
>
> > Requesting a cert for twitter.com would be an open violation of our CA
> > policy by me - I would rather avoid that :)
>
> Understood. :) What about pentesting with a domain that the owner is
> willing to let you try to forge?
>
>        --dkg
>

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/2577addb/attachment.html>