[SSL Observatory] DFN and subordinate CA domain-scoped whitelists
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Nov 9 09:12:16 PST 2011
On 11/09/2011 11:24 AM, Matthias Hunstock wrote:
> Am 09.11.2011 16:47, schrieb Daniel Kahn Gillmor:
>
>> My concern is that the CAs in question appear to be signing certificates
>> for names that do not have any domain suffix at all, or have a suffix
>> (like .local) known to be used in a colliding fashion by many people.
>
> No, not "is signing". WAS signing.
Correction duly noted; i have no evidence that they signed any of these
after 2010-04. Wags may point out that i also have no evidence that
they have *not* signed any of these after 2010-04, but i certainly can't
claim that they have.
>> I'm baffled by the idea that any CA would think it reasonable to sign a
>> .local name for a certificate of any duration, let alone a 5 year duration.
>
> Uhm btw. ... did you check the CRL?
i did not, but as i noted, the certificate is in active use. You can
see it here:
https://webmail-berlin.leibniz-gemeinschaft.de/
Its CRLs don't seem to contain the certificate's serial number:
>
> 0 dkg at pip:~$ wget -q -O- http://cdp1.pca.dfn.de/global-services-ca/pub/crl/cacrl.crl | openssl crl -inform DER -text -noout -CAfile /tmp/DFN-VereinCAServices | egrep -A1 'Last Update|0F2B8944'
> verify OK
> Last Update: Nov 7 21:07:27 2011 GMT
> Next Update: Nov 17 21:07:27 2011 GMT
> 0 dkg at pip:~$
Am i checking this wrong?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/043a172a/attachment.sig>
More information about the Observatory
mailing list