Am 09.11.2011 02:03, schrieb Daniel Kahn Gillmor: > Matthias, you seem to be aware of the domain-scoped whitelisting policy > by DFN. Do you know how .local fits in those policies?
It's very simple. The domain whitelist was introduced some time ago (about 1.5 years ago I think), the "bad" certs you have in your data should be older than that. > For example, have you tried creating a CSR with a DN with > CN=twitter.com.tu-ilmenau.de, and a bunch of entries in the > subjectAltNames extension like: No, I did not pentest the filter. There is a PKI test instance, e.g. for software developmnet, if that also has this filter (I only used it for user certs by now) maybe I can play with that one. Requesting a cert for twitter.com would be an open violation of our CA policy by me - I would rather avoid that :) greets
signature.asc
Description: OpenPGP digital signature
