On Sun, Jun 8, 2008 at 6:54 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > > I recently encountered a web site with a certificate that chained through > two intermediate CAs to one of Mozilla's trusted roots. > > This cert's Subject Alt Name (SAN) extension included: > > - 43 wildcard domain names (e.g. of the form *.something.tld) > - 1 non-wildcard DNS name (of the form something.tld) > - 4 binary IP addresses (all fully routable and accessible on the Internet) > - 4 DNS name strings that were the ASCII dotted decimal form of those 8 IP > addresses > - 12 simple host names (e.g. such as home, test, www01, www02, ... etc.) > > The cert's subject name included 60 Common Name (CN=) attributes whose > attribute string values matched the 60 name strings in the SAN extension (as > if multiple CN attributes each containing a DNS name was conformant). > > One of the cert's subject name OU attributes contained a string claiming > the cert was domain validated. > > The 44 DNS names don't bother me any. I'm quite willing to believe that > the issuer verified that all those domains had the same registrant. > > But the 12 simple host names and the 4 routable IP addresses (each of > which appears twice) bother me. > > If I go to a url such as https://12.34.56.78/ and get a page with a lock > icon claiming to be a bank or financial institution, or even a well known > merchant, what assurances has that cert actually offered me? > > Likewise, if I go to https://home/ and get a "home" page for some > enterprise, what assurances have I really been offered? > > Does this bother any one else ?
There is a bug on certs containing unqualified host names: https://bugzilla.mozilla.org/show_bug.cgi?id=401317 Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
