On 11/29/2008 05:27 PM, Frank Hecker:
Made what a requirement? Mandating use of SAN in BlackBox?
Yes, that's what I actually meant.
But my understanding (based on your hypothetical scenario) is that this would not be sufficient, since someone could remove the key material and try to issue certificates outside the context of the BlackBox product.
Which is correct too...at least in the above scenario misusing the system would require a higher effort and can't be performed directly from the system.
My impression from Nelson's comments is that checking CN would be subject to potential errors, since there is no well-defined standard for what CN should contain. Thus the only foolproof approach would be to move to a world where we prohibit use of CN in contexts like SSL-enbled servers and force the use of SAN. But that would be a major undertaking and one that would likely take several years in order to coordinate action with other browser vendors and with CAs in general.
Prohibiting the subject line would be a tough call - unrealistic in my opinion. But checking for the CN field for SERVER certificate should be entirely possible, because that's what NSS does anyway (for domain match).
The bottom line is that I certainly encourage WISeKey to promote correct use of SAN, including consideration of making its use mandatory in the BlackBox templates, investigation of why some customers don't use it, and resolution of any issues relating to use of SAN by BlackBox customers.
OK, so I guess there will be no follow up later on ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
