I recently encountered a web site with a certificate that chained through
two intermediate CAs to one of Mozilla's trusted roots.
This cert's Subject Alt Name (SAN) extension included:
- 43 wildcard domain names (e.g. of the form *.something.tld)
- 1 non-wildcard DNS name (of the form something.tld)
- 4 binary IP addresses (all fully routable and accessible on the Internet)
- 4 DNS name strings that were the ASCII dotted decimal form of those 8 IP
addresses
- 12 simple host names (e.g. such as home, test, www01, www02, ... etc.)
The cert's subject name included 60 Common Name (CN=) attributes whose
attribute string values matched the 60 name strings in the SAN extension (as
if multiple CN attributes each containing a DNS name was conformant).
One of the cert's subject name OU attributes contained a string claiming
the cert was domain validated.
The 44 DNS names don't bother me any. I'm quite willing to believe that
the issuer verified that all those domains had the same registrant.
But the 12 simple host names and the 4 routable IP addresses (each of
which appears twice) bother me.
If I go to a url such as https://12.34.56.78/ and get a page with a lock
icon claiming to be a bank or financial institution, or even a well known
merchant, what assurances has that cert actually offered me?
Likewise, if I go to https://home/ and get a "home" page for some
enterprise, what assurances have I really been offered?
Does this bother any one else ?
Should Mozilla's policy speak to any of these issues?
/Nelson
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
