Eddy Nigg wrote, On 2008-11-24 09:14: > On 11/23/2008 12:32 AM, Nelson B Bolyard: >> There's no foolproof test for determining if a string is a DNS name or >> some other kind of name. Various heuristics can be devised, but they >> all have problems. > > This worries me somewhat and I question the usefulness of the > name-constraints then... > > Consider the following scenario at a customer of a blackbox product: > > - Employee gains physical access to the machine, shuts down the machine > by force (removing machine from electricity source). > - He removes the hardware token from the machine and connects it to a > different system. > - He prints and signs a few certificates for www.paypal.com and > www.microsoft.com
... certificates that do not use standard Subject Alt Names extensions but rather use the old non-standard Subject Common Name > - Returns the token back to the blackbox. Returns power source and > starts the machine. > > [...] Now, name-constrains will fail for those > certificates under the various scenarios you explained, including the > cases where no SAN DNS is present in first place :S The only solution to this that is apparent to me is for the web to evolve to the point where browsers no longer accept DNS names in non-standard locations in the cert, such as in the Subject Common Name. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
