[SSL Observatory] DFN and subordinate CA domain-scoped whitelists [was: Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA]

Tue, 08 Nov 2011 17:03:34 -0800 

On Tue, 8 Nov 2011 02:19:32 -0800, Peter Eckersley <[email protected]> wrote:
> I was able to get information about the end entities signed by DFN's sub-CAs 
 [...]
> +--------------------------------------------------------+-------+
> | tld                                                    | c     |
> +--------------------------------------------------------+-------+
 [...]
> | local                                                  |    20 |

.local (the suffix not in the public root servers, but widely used for
link-local names by MDNS-SD [0]) just jumped out at me
here.

The other stuff might have problems (i haven't checked), but certifying
names with .local seems bizarre to me.  Can someone explain why DFN
would legitmately put the .local suffix into a domain-scoped whitelist
for a subordinate CA?

I just fetched the observatory database to have a look at some of these.

mail.leibniz-gemeinschaft.de is one example.  its X.509 certificate
has the following chain which appears to validate:

---
Certificate chain
 0 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=webmail-berlin.leibniz-gemeinschaft.de
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein CA Services
 1 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein CA Services
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom 
Root CA 2
---

and the subjectAltName field does in fact contain several names in the
.local zone:

 X509v3 Subject Alternative Name:
         DNS:autodiscover.evaluation-leibniz.de,
         DNS:autodiscover.evaluierung-leibniz.de,
         DNS:autodiscover.leibniz-association.eu,
         DNS:autodiscover.leibniz-gemeinschaft.de,
         DNS:autodiscover.leibniz-gemeinschaft.eu,
         DNS:autodiscover.leibniz.local,
         DNS:autodiscover.leibnizx.de,
         DNS:autodiscover.wgl.de,
         DNS:de-be-lbz-dcex1,
         DNS:de-be-lbz-dcex1.leibniz.local,
         DNS:de-be-lbz-exca1,
         DNS:de-be-lbz-exca1.leibniz.local,
         DNS:evaluation-leibniz.de,
         DNS:evaluierung-leibniz.de,
         DNS:leibniz-association.eu,
         DNS:leibniz-gemeinschaft.de,
         DNS:leibniz-gemeinschaft.eu,
         DNS:leibniz.local,
         DNS:leibnizx.de,
         DNS:mail.leibniz-gemeinschaft.de,
         DNS:webmail-berlin.leibniz-gemeinschaft.de,
         DNS:webmail.leibniz-gemeinschaft.de, DNS:wgl.de



Note the inclusion of leibniz.local, which bet is in use via MDNS-SD on
more than one of the network segments of the people who read this list,
due to the popularity of "Dead Philosophers" as a computer naming
scheme.

Matthias, you seem to be aware of the domain-scoped whitelisting policy
by DFN.  Do you know how .local fits in those policies?

Regards,

   --dkg

[0] https://secure.wikimedia.org/wikipedia/en/wiki/.local

Attachment: pgp4WB0mOWZ2X.pgp
Description: PGP signature

Reply via email to