On Sat, 05 Nov 2011 16:40:03 +0100, Matthias Hunstock <[email protected]> wrote: > I am member of one of these LRAs and I can tell you that we can NOT > issue a cert for twitter.com.
I'm really glad to hear that DFN policies prevent this in some way!
Can i ask how you have tested this restriction? I assume that you at
least tried with a CSR that has a DN with CN=twitter.com and had it
rejected. Have you tried anything more sophisticated than that?
For example, have you tried creating a CSR with a DN with
CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the
subjectAltNames extension like:
DNS:twitter.com.tu-ilmenau.de,
DNS:autodiscover.twitter.com.tu-ilmenau.de,
DNS:twitter.com,
DNS:autodiscover.twitter.com.local,
DNS:twitter.com.local
If you're worried about raising red flags by experimenting with a
high-profile domain like twitter.com, you're welcome to try to spoof
danielgillmor.com (a domain i control) instead.
Regards,
--dkg
pgpaC2kOb3g6C.pgp
Description: PGP signature
