[This thread is to continue the discussion from bug 554442; this
message
recaps the substance of the existing discussion.]
It would be great if a Mozilla-recognized CA would be willing to give
me, as the registrant of mattmccutchen.net, an intermediate CA
certificate with a critical name constraint limiting it to
mattmccutchen.net. That would give me unlimited flexibility to issue
certificates for subdomains without bothering the CA. Such a
certificate would be an alternative to a wildcard certificate that
removes some limitations without fundamentally changing the security
model.
What are the technical obstacles that stand in the way of issuing such
certificates? I am aware of two:
#1. Bug 394919: NSS accepts the subject common name as an SSL server
name but does not constrain it. In bug 554442, I requested a hack so
that CAs could start using critical name constraints without NSS
versions lacking the fix for bug 394919 becoming vulnerable, but
Nelson
Bolyard decided that wasn't necessary.
#2. The tooltip of the Firefox SSL badge (a.k.a. "Larry" site identity
button) shows the Organization field of the lowest CA certificate,
i.e.,
the immediate signer of the server certificate. The registrant could
put a misleading value in this field. For example:
"Some Mozilla-recognized CA"
\_ "Matt's CA" (name constraint: mattmccutchen.net)
\_ "your evil twin"
\_ foo.mattmccutchen.net
+------------------------------+ +-----------------------------+
| [icon] foo.mattmccutchen.net | ---> | Verified by: your evil twin |
+------------------------------+ +-----------------------------+
Setting a maximum path length of 0 on the registrant's certificate
would
prevent this outcome, but it's a disappointing solution. Should
Firefox
show the organization name of the root CA instead, since it is
ultimately responsible for all validation paths that end at its trust
bit?
--
Matt
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
