On 02/23/2009 02:01 PM, Jean-Marc Desperrier:
When issuing a SSL server cert there is no need for a special checking at the CA level, because nobody will first be able to obtain a dangerous domain name within that TLD.
Like the IANA requirement to state correct information in the WHOIS records? Makes me laugh...
Writing the above was very useful for me, because it made me realize the current problem is quite wider than just wildcard certificates. The attack is possible even without a wildcard certificate.
That's correct. IDN presents a different problem than wild cards. Unfortunately the original reporter mixed those two badly up, which wasn't useful. Both issues need to be treated differently.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
