On Wed, 09 Nov 2011 12:28:57 +0100, Matthias Hunstock <[email protected]> wrote: > Am 09.11.2011 02:03, schrieb Daniel Kahn Gillmor: > > > Matthias, you seem to be aware of the domain-scoped whitelisting policy > > by DFN. Do you know how .local fits in those policies? > > It's very simple. The domain whitelist was introduced some time ago > (about 1.5 years ago I think), the "bad" certs you have in your data > should be older than that.
0 dkg@pip:~$ echo | openssl s_client -connect mail.leibniz-gemeinschaft.de:443
2>/dev/null | openssl x509 -text -noout | grep -A3 Valid
Validity
Not Before: Nov 24 16:37:09 2009 GMT
Not After : Nov 23 16:37:09 2014 GMT
Subject: C=DE, O=DFN-Verein, OU=DFN-PKI,
CN=webmail-berlin.leibniz-gemeinschaft.de
0 dkg@pip:~$
Hmm, that's certainly the case for the one i was looking at. So we're
about 2 years into a 5-year certificate lifetime that doesn't meet valid
domain whitelist constraints.
This isn't exactly comforting information, unfortunately :/
> No, I did not pentest the filter. There is a PKI test instance, e.g. for
> software developmnet, if that also has this filter (I only used it for
> user certs by now) maybe I can play with that one.
That'd be an interesting data point.
> Requesting a cert for twitter.com would be an open violation of our CA
> policy by me - I would rather avoid that :)
Understood. :) What about pentesting with a domain that the owner is
willing to let you try to forge?
--dkg
pgpX9LhyP0bVo.pgp
Description: PGP signature
