On 23/2/09 13:41, Eddy Nigg wrote:
On 02/23/2009 02:01 PM, Jean-Marc Desperrier:
When issuing a SSL server cert there is no need for a special checking
at the CA level, because nobody will first be able to obtain a dangerous
domain name within that TLD.
Like the IANA requirement to state correct information in the WHOIS
records? Makes me laugh...
Writing the above was very useful for me, because it made me realize the
current problem is quite wider than just wildcard certificates.
The attack is possible even without a wildcard certificate.
That's correct. IDN presents a different problem than wild cards.
Unfortunately the original reporter mixed those two badly up, which
wasn't useful. Both issues need to be treated differently.
This has been a very interesting exploration! OK, so in the sense of
"wildcard versus IDN" ... and of apples & oranges, chalk and cheese: Do
people feel that:
* IDNs present more danger than wildcards,
* wildcards present more danger than IDNs,
* they are approximately the same level of danger,
and trying to separate them out is not efficacious
at this level of discussion?
Pick one?
This would feed into "problematic practices" and a clause that says "do
you treat these things with more care?" For example, if we look at:
https://wiki.mozilla.org/CA:Problematic_Practices
We see one, and not the other.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
