Eddy Nigg (StartCom Ltd.) wrote, On 2008-03-15 14:59: > Nelson Bolyard: >> [snip] All CAs >> depend on the subject parties to control the use of the certs issued to >> them, and the CAs can revoke the certs if they find that the certs have >> not been adequately controlled. So, this particular part doesn't bother >> me, AS LONG AS they really are domain validated. >> > This particular part DOES bother you, because wild card certificates > aren't controllable in the same way as regular ones. A seemingly > innocent domain name can become a tool for phishing. For example > *.domain.com matches paypal.domain.com and paypal-objects.domain.com, > something a CA can not control in these circumstances (you can't assume > that a CA can adequately control wild card certificates as you mention > above).
You say a CA can control this, but what can or should a CA do, and with what authority? What would you propose? That CAs disallow the issuance of certs for hosts (or sub-domains) whose host name matches the name found in any TLD in the .com domain? Would you have all CAs refuse me a cert for nelson.bolyard.com because there exists a nelson.com domain? Would you have all CAs refuse a cert for bugzilla.mozilla.org, because there exists a bugzilla.com? What if the subdomain/host name existed, with a certificate first (as is likely the case for bugzilla.com, I think)? Would you have CAs refuse to issue certs for bugzilla.com because a CA had already issued a cert to bugzilla.mozilla.org? How about domain registrars? Would you have them refuse to register the domain bugzilla.com because a cert existed for bugzilla.mozilla.org? The only restriction of which I'm aware on domain names that domain registrars should register or CAs should issue has to do with international character sets, and the ability to produce a string in another character set that LOOKS like, but is not identical to, some already registered .com domain name. But that only applies to registering names that visually appear to be EXACT duplicates of other extant domains. If you would not propose to prohibit the issuance of certs for hosts whose host names match .com TLD names, then on what other basis would you propose to create such a prohibition? Would you have CAs refuse to issue a cert to paypal.mozilla.org (say) on the grounds that: - Paypal is a big company worth lots of $$$? (What's the $$ threshold?) - Paypal's web site gives users accounts that are password protected? - Paypal is known to be a phishing target? (What's the metric?) - or something else? (please elaborate). Test your answer by switching the names as follows: Would you have CAs refuse to issue a cert to bugzilla.com because bugzilla.mozilla.org is any of the things listed above? Note that even the EV "guidelines" do not prohibit EV CAs from issuing certs on any of the grounds suggested above.. > Wild card certificates shouldn't rely on domain validation > only. Even so there is no explicit provision concerning wild card > certificates in the Mozilla CA policy, section 4 is sufficient to assume > that: > > We reserve the right to not include a particular CA certificate in > our software products, to discontinue including a particular CA > certificate in our products......including cases where we > believe.... would *cause undue risks to users security*, for > example, with CAs that > > * knowingly issue certificates without the knowledge of the > entities whose information is referenced in the certificates; /or/ > * knowingly issue certificates that appear to be intended for > fraudulent use. Again, what is your test for "appear to be intended for fraudulent use?" > Wild card certificates which are not at least identity validated may be > intended for fraudulent use. Section 4 explicitly states also that the > list above is not limited! Domain name validated wild card certificates > can be a risk to users security. Certificates bind a key to a name. Period, Full stop. EV certs may say something about the owner's right to use a name, but not even EV certs say anything about the intent or righteousness or karma of the named party or the named domain or host. My point is that it is pointless to attempt to prohibit issuance of subdomain wildcard certs on the basis of DV until you establish some clear criteria upon which CAs can (and collectively will) rightfully deny certs for host names to well identified subscribers (cert subjects). _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
