On 30/12/2018 14:18, Nick Lamb wrote:
On Thu, 27 Dec 2018 22:43:19 +0100
Jakob Bohm via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
You must be traveling in a rather limited bubble of PKIX experts, all
of whom live and breathe the reading of RFC5280. Technical people
outside that bubble may have easily misread the relevant paragraph in
RFC5280 in various ways.
It's practically a pub quiz question. I appreciate that I might be
unusual in happening to care about this as a lay person, but for a
public CA in the Web PKI correctly understanding this stuff was _their
job_. It isn't OK for them to be bad at their jobs.
Pub quiz questions are particularly tailored to refer to arcane and
unexpected facts, which some punters have memorized.
The documents that prescribes the exact workings of DNS do not
prohibit (only discourage) DNS names containing underscores. Web
browser interfaces for URL parsing may not allow them, which would be
a technical benefit for at least one usage of such certificates
reported in the recent discussion.
We get it, you don't accept that not all DNS names can be names of
hosts. That you still seem determined not to understand this even
when it's explained repeatedly shows that my characterization of this
position was correct.
I accept that not all DNS names can be names of hosts. I do not accept
(without further proof) that certificate issuance is banned for DNS
labels that do not refer to hosts at all. In this case because some
(unknown) higher level protocol requires the TLS server name to be a
label of a special form, specifically designed not to be a host name.
And I certainly do not expect subscribers to be aware of such arcane
details, subscribers know that certain proof of domain control is
required, and if they provide that proof and get a certificate
accordingly, they expect that to be perfectly valid and reliable
until otherwise informed by the issuing CA.
That I disagree with you on certain questions of fact doesn't mean
I'm unreliable, merely that you have not presented any persuasive
arguments that you are not the one being wrong.
I can't distinguish people who are "actually" unreliable from people
who claim the plain facts are "unpersuasive" to their point of view, and
so I don't. Likewise m.d.s.policy largely doesn't care whether a CA's
problems are a result of incompetence or malfeasance, same outcome
either way: distrust.
You keep ignoring that I am arguing the perspective of the subscribers,
not the CAs.
I merely
dispute that this was obvious to every reader of those documents
Since you like legal analogies, the usual standard in law is that
something was known _or should have been known_. This means that a
declaration that you didn't know something holds no weight if a court
concludes that you _should_ have known it. If you have a responsibility
to know, "I didn't know" is not usually an excuse.
I don't believe subscribers should have known, but I do believe
Certificate Authorities should have known, or, as corporate entities,
should have employed someone who knew that this was an important thing
to understand, did their research and came back with a "No" that had
the effect of setting issuance policy.
Which is precisely my point. There are lots of people outside the tiny
public CA technical and policy community who are technical experts but
unaware of that highly obscure reading of RFC5280.
Doubtless some ordinary subscribers believe Africa is a country. I
don't have a problem with that. But I hope we agree that a CA should
not sign a certificate which gives C=AP (an ISO code reserved for other
reasons associated with Africa) on the rationale that they thought
Africa is a country.
Our disagreement would be if multiple such CAs had issued a bunch of
C=AP certificates to relevant organizations for use in some scheme that
has been technically locked to this aspect. In such a case it would be
reasonable to allow those organizations to remove that technical lock,
then get new certificates in an orderly fashion.
A better example is the pre-2015 issuing of .onion names, which do
not exist in the IANA-rooted DNS.
A better example in the sense that, if this happened today we would
expect CAs not to issue for such a name without first getting a change
to the BRs saying this hierarchy is special ?
If the situation was that CAs had sensibly not issued for underscores,
then asked if they could and been turned down this entire thread would
not exist.
I strongly suspect (but have no data) that underscore certificates may
date back a long time as a practice, perhaps even before the CAB/F was
established.
I wrote this in opposition to someone seemingly insisting that the
_name_ implied that all non-web uses are mistakes that should not be
given any credence.
You wrote it in reply to me, and you quoted me. I don't know whether my
reciting these facts will be "persuasive" to you, but once again
refusing to believe something won't stop it being true - it only affects
your credibility.
Sorry, I lost track of the threading, I thought it was to one of the
others.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
