Re: Comodo request for EV-enabling 3 existing roots

Sat, 15 Mar 2008 15:00:02 -0700 

Nelson Bolyard:
> Well, presumably, the wildcard certs they issue are valid for multiple
> names within the domain that they validated only.  The then rely on
> the subject party to use the certs only in the servers that they control
> in that domain.  But that last statement is true of all CAs.  All CAs
> depend on the subject parties to control the use of the certs issued to
> them, and the CAs can revoke the certs if they find that the certs have
> not been adequately controlled.  So, this particular part doesn't bother
> me, AS LONG AS they really are domain validated.
>
>   
This particular part DOES bother you, because wild card certificates 
aren't controllable in the same way as regular ones. A seemingly 
innocent domain name can become a tool for phishing. For example 
*.domain.com matches paypal.domain.com and paypal-objects.domain.com, 
something a CA can not control in these circumstances (you can't assume 
that a CA can adequately control wild card certificates as you mention 
above).  Wild card certificates shouldn't rely on domain validation 
only. Even so there is no explicit provision concerning wild card 
certificates in the Mozilla CA policy, section 4 is sufficient to assume 
that:

    We reserve the right to not include a particular CA certificate in
    our software products, to discontinue including a particular CA
    certificate in our products......including cases where we
    believe.... would *cause undue risks to users security*, for
    example, with CAs that

        * knowingly issue certificates without the knowledge of the
          entities whose information is referenced in the certificates; /or/
        * knowingly issue certificates that appear to be intended for
          fraudulent use.


Wild card certificates which are not at least identity validated may be 
intended for fraudulent use. Section 4 explicitly states also that the 
list above is not limited! Domain name validated wild card certificates 
can be a risk to users security.

-- 
Regards 
 
Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:          +1.213.341.0390
 

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to