Since he would have to apply for the cert in person (from what was said earlier) I don't think you can expect him to go braketesting this scheme.
On Tue, Nov 8, 2011 at 8:25 PM, Daniel Kahn Gillmor <[email protected]>wrote: > On Sat, 05 Nov 2011 16:40:03 +0100, Matthias Hunstock < > [email protected]> wrote: > > I am member of one of these LRAs and I can tell you that we can NOT > > issue a cert for twitter.com. > > I'm really glad to hear that DFN policies prevent this in some way! > > Can i ask how you have tested this restriction? I assume that you at > least tried with a CSR that has a DN with CN=twitter.com and had it > rejected. Have you tried anything more sophisticated than that? > > For example, have you tried creating a CSR with a DN with > CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the > subjectAltNames extension like: > > DNS:twitter.com.tu-ilmenau.de, > DNS:autodiscover.twitter.com.tu-ilmenau.de, > DNS:twitter.com, > DNS:autodiscover.twitter.com.local, > DNS:twitter.com.local > > If you're worried about raising red flags by experimenting with a > high-profile domain like twitter.com, you're welcome to try to spoof > danielgillmor.com (a domain i control) instead. > > Regards, > > --dkg > -- Website: http://hallambaker.com/
