[This thread is to continue the discussion from bug 554442; this message recaps the substance of the existing discussion.]
It would be great if a Mozilla-recognized CA would be willing to give me, as the registrant of mattmccutchen.net, an intermediate CA certificate with a critical name constraint limiting it to mattmccutchen.net. That would give me unlimited flexibility to issue certificates for subdomains without bothering the CA. Such a certificate would be an alternative to a wildcard certificate that removes some limitations without fundamentally changing the security model. What are the technical obstacles that stand in the way of issuing such certificates? I am aware of two: #1. Bug 394919: NSS accepts the subject common name as an SSL server name but does not constrain it. In bug 554442, I requested a hack so that CAs could start using critical name constraints without NSS versions lacking the fix for bug 394919 becoming vulnerable, but Nelson Bolyard decided that wasn't necessary. #2. The tooltip of the Firefox SSL badge (a.k.a. "Larry" site identity button) shows the Organization field of the lowest CA certificate, i.e., the immediate signer of the server certificate. The registrant could put a misleading value in this field. For example: "Some Mozilla-recognized CA" \_ "Matt's CA" (name constraint: mattmccutchen.net) \_ "your evil twin" \_ foo.mattmccutchen.net +------------------------------+ +-----------------------------+ | [icon] foo.mattmccutchen.net | ---> | Verified by: your evil twin | +------------------------------+ +-----------------------------+ Setting a maximum path length of 0 on the registrant's certificate would prevent this outcome, but it's a disappointing solution. Should Firefox show the organization name of the root CA instead, since it is ultimately responsible for all validation paths that end at its trust bit? -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto