[SSL Observatory] DFN and subordinate CA domain-scoped whitelists
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Nov 9 07:47:35 PST 2011
On 11/09/2011 10:20 AM, Phillip Hallam-Baker wrote:
> I am not sure that owning example.com should allow someone to establish a
> prohibition issue of certs to example.com.**.com.
It's not clear to me who you think suggested this; i certainly didn't,
and i think it would be a terrible idea.
My use of this "prefix-style" approach to the sAN was as an attempt to
scatter some chaff to distract from the public/global name "hidden" in
the sAN list.
My concern is that the CAs in question appear to be signing certificates
for names that do not have any domain suffix at all, or have a suffix
(like .local) known to be used in a colliding fashion by many people.
I'm baffled by the idea that any CA would think it reasonable to sign a
.local name for a certificate of any duration, let alone a 5 year duration.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/932242cf/attachment.sig>
More information about the Observatory
mailing list