Re: [openssl-users] How many SAN entries...?

2017-04-27 Thread Blumenthal, Uri - 0553 - MITLL 
It depends on the CA in question, more so on the number of the attributes that 
are included, and of course on the set of users. ;-)

So far I assure you I've no concern for pitchforks. ;-)

Regards,
Uri

P.S. Why do you think validating, e.g., three email addresses is any more 
difficult than one? If that one is not under your direct control, that is? 
Sure, it may take longer to validate three - but it's the "process" time, not 
"human/employee" time. 

Sent from my iPhone

> On Apr 27, 2017, at 10:28, Jochen Bern  wrote:
> 
> On 04/27/2017 04:09 PM, openssl-users-requ...@openssl.org digested:
>> From: "Blumenthal, Uri - 0553 - MITLL" 
>> 
>> You do not "revoke" a subset of attributes aka SAN emails. When any of
>> the certified attributes changes (i.e., is certification no longer valid),
>> the certificate is revoked and (possibly) re-issued.
> 
> Precisely. Now imagine the cert being used for S/MIME (why would a cert
> list several e-mail addresses if it weren't somehow related to e-mails
> and the addressee's identity?) and the CA or its procedures insisting on
> renewing keypairs when a new cert is issued. I'ld say you'ld get users
> and their pitchforks asking for multiple SINGLE-attribute/value certs
> real fast.
> 
> Regards,
> -- 
> Jochen Bern
> Systemingenieur
> 
> Fon:+49 6151 9067-231
> Fax:+49 6151 9067-290
> E-Mail: jochen.b...@binect.de
> 
> www.binect.de
> www.facebook.de/binect
> 
> Binect ist ausgezeichnet:
> Sieger INNOVATIONSPREIS-IT 2017 | Das Büro: Top 100 Büroprodukte 2017
> 
> Binect GmbH
> 
> Robert-Koch-Straße 9, 64331 Weiterstadt, DE
> 
> Geschäftsführung: Christian Ladner, Dr. Frank Wermeyer, Nils Manegold
> Unternehmenssitz: Weiterstadt
> Register: Amtsgericht Darmstadt, HRB 94685
> Umsatzsteuer-ID:  DE 221 302 264
> 
> MAX 21-Unternehmensgruppe
> ✁
> Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht
> der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
> informieren Sie bitte sofort den Absender und vernichten Sie diese
> E-Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser
> Mail oder von Teilen dieser Mail ist nicht gestattet. Jede von der
> Binect GmbH versendete Mail ist sorgfältig erstellt worden, dennoch
> schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu
> einer irgendwie gearteten Verpflichtung zu Lasten der Binect GmbH
> ausgelegt werden. Wir haben alle verkehrsüblichen Maßnahmen unternommen,
> um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu
> minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf
> alle Anhänge an dieser Nachricht durchzuführen.
> Wir schließen, außer für den Fall von Vorsatz oder grober
> Fahrlässigkeit, die Haftung für jeglichen Verlust oder Schäden durch
> virenbefallene Software oder E-Mail aus.
> 
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of contents of this
> e-mail is strictly prohibited. All Binect GmbH emails are created
> thoroughly, nevertheless we do not accept any legal obligation for the
> information and wording contained herein. Binect GmbH has taken
> precautionary measures to reduce the risk of possible distribution of
> virus infected software or emails. However, we advise you to check
> attachments to this email for viruses. Except for cases of intent or
> gross negligence, we cannot accept any legal obligation for loss or
> damage by virus infected software.
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-27 Thread Jochen Bern 
On 04/27/2017 04:09 PM, openssl-users-requ...@openssl.org digested:
> From: "Blumenthal, Uri - 0553 - MITLL" 
> 
> You do not "revoke" a subset of attributes aka SAN emails. When any of
> the certified attributes changes (i.e., is certification no longer valid),
> the certificate is revoked and (possibly) re-issued.

Precisely. Now imagine the cert being used for S/MIME (why would a cert
list several e-mail addresses if it weren't somehow related to e-mails
and the addressee's identity?) and the CA or its procedures insisting on
renewing keypairs when a new cert is issued. I'ld say you'ld get users
and their pitchforks asking for multiple SINGLE-attribute/value certs
real fast.

Regards,
-- 
Jochen Bern
Systemingenieur

Fon:+49 6151 9067-231
Fax:+49 6151 9067-290
E-Mail: jochen.b...@binect.de

www.binect.de
www.facebook.de/binect

Binect ist ausgezeichnet:
Sieger INNOVATIONSPREIS-IT 2017 | Das Büro: Top 100 Büroprodukte 2017

Binect GmbH

Robert-Koch-Straße 9, 64331 Weiterstadt, DE

Geschäftsführung: Christian Ladner, Dr. Frank Wermeyer, Nils Manegold
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID:  DE 221 302 264

MAX 21-Unternehmensgruppe
✁
Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht
der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese
E-Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser
Mail oder von Teilen dieser Mail ist nicht gestattet. Jede von der
Binect GmbH versendete Mail ist sorgfältig erstellt worden, dennoch
schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu
einer irgendwie gearteten Verpflichtung zu Lasten der Binect GmbH
ausgelegt werden. Wir haben alle verkehrsüblichen Maßnahmen unternommen,
um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu
minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf
alle Anhänge an dieser Nachricht durchzuführen.
Wir schließen, außer für den Fall von Vorsatz oder grober
Fahrlässigkeit, die Haftung für jeglichen Verlust oder Schäden durch
virenbefallene Software oder E-Mail aus.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of contents of this
e-mail is strictly prohibited. All Binect GmbH emails are created
thoroughly, nevertheless we do not accept any legal obligation for the
information and wording contained herein. Binect GmbH has taken
precautionary measures to reduce the risk of possible distribution of
virus infected software or emails. However, we advise you to check
attachments to this email for viruses. Except for cases of intent or
gross negligence, we cannot accept any legal obligation for loss or
damage by virus infected software.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-27 Thread Blumenthal, Uri - 0553 - MITLL 
You do not "revoke" a subset of attributes aka SAN emails. When any of the 
certified attributes changes (i.e., is certification no longer valid), the 
certificate is revoked and (possibly) re-issued. The process is no different 
than with any other set of attributes, several of which may be owned/controlled 
by different organizations.

Regards,
Uri

Sent from my iPhone

> On Apr 27, 2017, at 09:41, Jochen Bern  wrote:
> 
> On 04/26/2017 07:13 PM, Viktor Dukhovni was digested as writing:
>> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL 
>>  wrote:
>>> It?s been my understanding that a cert can contain as many SAN attributes 
>>> as needed,
>>> but it appears that Apple believes it has to be only one (because 
>>> certificates with
>>> more than one are not processed properly).
>> 
>> Perhaps CAs have rarely issued email certificates with multiple email 
>> addresses. 
> 
> The mechanics of verifying - or, if necessary, revoking - every single
> one should be ... interesting. Unless, maybe, it's a boatload of
> ("typo"?) aliases from the same organization.
> 
> [Remembers manually splitting others' PGP pubkeys into single-user-ID
> ones after signing parties so as to send every freshly-signed ID only to
> the *one* address stated in it]
> 
> Regards,
> -- 
> Jochen Bern
> Systemingenieur
> 
> Fon:+49 6151 9067-231
> Fax:+49 6151 9067-290
> E-Mail: jochen.b...@binect.de
> 
> www.binect.de
> www.facebook.de/binect
> 
> Binect ist ausgezeichnet:
> Sieger INNOVATIONSPREIS-IT 2017 | Das Büro: Top 100 Büroprodukte 2017
> 
> Binect GmbH
> 
> Robert-Koch-Straße 9, 64331 Weiterstadt, DE
> 
> Geschäftsführung: Christian Ladner, Dr. Frank Wermeyer, Nils Manegold
> Unternehmenssitz: Weiterstadt
> Register: Amtsgericht Darmstadt, HRB 94685
> Umsatzsteuer-ID:  DE 221 302 264
> 
> MAX 21-Unternehmensgruppe
> ✁
> Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht
> der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
> informieren Sie bitte sofort den Absender und vernichten Sie diese
> E-Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser
> Mail oder von Teilen dieser Mail ist nicht gestattet. Jede von der
> Binect GmbH versendete Mail ist sorgfältig erstellt worden, dennoch
> schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu
> einer irgendwie gearteten Verpflichtung zu Lasten der Binect GmbH
> ausgelegt werden. Wir haben alle verkehrsüblichen Maßnahmen unternommen,
> um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu
> minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf
> alle Anhänge an dieser Nachricht durchzuführen.
> Wir schließen, außer für den Fall von Vorsatz oder grober
> Fahrlässigkeit, die Haftung für jeglichen Verlust oder Schäden durch
> virenbefallene Software oder E-Mail aus.
> 
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of contents of this
> e-mail is strictly prohibited. All Binect GmbH emails are created
> thoroughly, nevertheless we do not accept any legal obligation for the
> information and wording contained herein. Binect GmbH has taken
> precautionary measures to reduce the risk of possible distribution of
> virus infected software or emails. However, we advise you to check
> attachments to this email for viruses. Except for cases of intent or
> gross negligence, we cannot accept any legal obligation for loss or
> damage by virus infected software.
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-27 Thread Jochen Bern 
On 04/26/2017 07:13 PM, Viktor Dukhovni was digested as writing:
> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL  
> wrote:
>> It?s been my understanding that a cert can contain as many SAN attributes as 
>> needed,
>> but it appears that Apple believes it has to be only one (because 
>> certificates with
>> more than one are not processed properly).
> 
> Perhaps CAs have rarely issued email certificates with multiple email 
> addresses. 

The mechanics of verifying - or, if necessary, revoking - every single
one should be ... interesting. Unless, maybe, it's a boatload of
("typo"?) aliases from the same organization.

[Remembers manually splitting others' PGP pubkeys into single-user-ID
ones after signing parties so as to send every freshly-signed ID only to
the *one* address stated in it]

Regards,
-- 
Jochen Bern
Systemingenieur

Fon:+49 6151 9067-231
Fax:+49 6151 9067-290
E-Mail: jochen.b...@binect.de

www.binect.de
www.facebook.de/binect

Binect ist ausgezeichnet:
Sieger INNOVATIONSPREIS-IT 2017 | Das Büro: Top 100 Büroprodukte 2017

Binect GmbH

Robert-Koch-Straße 9, 64331 Weiterstadt, DE

Geschäftsführung: Christian Ladner, Dr. Frank Wermeyer, Nils Manegold
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID:  DE 221 302 264

MAX 21-Unternehmensgruppe
✁
Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht
der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese
E-Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser
Mail oder von Teilen dieser Mail ist nicht gestattet. Jede von der
Binect GmbH versendete Mail ist sorgfältig erstellt worden, dennoch
schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu
einer irgendwie gearteten Verpflichtung zu Lasten der Binect GmbH
ausgelegt werden. Wir haben alle verkehrsüblichen Maßnahmen unternommen,
um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu
minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf
alle Anhänge an dieser Nachricht durchzuführen.
Wir schließen, außer für den Fall von Vorsatz oder grober
Fahrlässigkeit, die Haftung für jeglichen Verlust oder Schäden durch
virenbefallene Software oder E-Mail aus.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of contents of this
e-mail is strictly prohibited. All Binect GmbH emails are created
thoroughly, nevertheless we do not accept any legal obligation for the
information and wording contained herein. Binect GmbH has taken
precautionary measures to reduce the risk of possible distribution of
virus infected software or emails. However, we advise you to check
attachments to this email for viruses. Except for cases of intent or
gross negligence, we cannot accept any legal obligation for loss or
damage by virus infected software.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-26 Thread Jeffrey Walton 
On Wed, Apr 26, 2017 at 1:03 PM, Blumenthal, Uri - 0553 - MITLL
 wrote:
> A naïve question. A certificate that contains SAN attribute(s) – is there a
> limit on how many, say, RFC822 SAN attributes can a valid certificate have?
>
>
>
> It’s been my understanding that a cert can contain as many SAN attributes as
> needed, but it appears that Apple believes it has to be only one (because
> certificates with more than one are not processed properly).

Lol... Apple is notorious for their defective and untested software.
I'm pretty sure they don't have a QA department. Also see
https://news.ycombinator.com/item?id=11034071.

Worse, when a bug is reported through their RADAR, it goes unfixed.
They force users into QA, and then don't fix the bugs that are
reported.

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-26 Thread Alan Buxey 
confirmed, i've seen dozens on one cert - far more preferable to do
that and have such numbers than a single wildcard cert (which has
issues on all sorts of platforms
for various purposes).

alan

On 26 April 2017 at 18:24, Blumenthal, Uri - 0553 - MITLL
 wrote:
> > It’s been my understanding that a cert can contain as many SAN 
> attributes as needed,
> > but it appears that Apple believes it has to be only one (because 
> certificates with
> > more than one are not processed properly).
>
> Perhaps CAs have rarely issued email certificates with multiple email 
> addresses.
>
> :-)
>
> OpenSSL will accept multiple email SANs and with email name checks will 
> accept
> the certificate as valid so long as *one* of the addresses is a match.
>
> Thank you! That’s what I expected and hoped for. Appreciate the help!
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-26 Thread Blumenthal, Uri - 0553 - MITLL 
> It’s been my understanding that a cert can contain as many SAN attributes 
as needed,
> but it appears that Apple believes it has to be only one (because 
certificates with
> more than one are not processed properly).

Perhaps CAs have rarely issued email certificates with multiple email 
addresses. 

:-)

OpenSSL will accept multiple email SANs and with email name checks will 
accept
the certificate as valid so long as *one* of the addresses is a match.
 
Thank you! That’s what I expected and hoped for. Appreciate the help!



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-26 Thread Viktor Dukhovni 

> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL  
> wrote:
> 
> A naïve question. A certificate that contains SAN attribute(s) – is there a 
> limit
> on how many, say, RFC822 SAN attributes can a valid certificate have?

None of the standard SAN types (DNS, Email, IP, ...) are limited to just one
entry.  If you try to have hundreds of them, eventually the certificate may
become too big for various protocols, but that's an explicit limit on the SAN
multiplicity.

> It’s been my understanding that a cert can contain as many SAN attributes as 
> needed,
> but it appears that Apple believes it has to be only one (because 
> certificates with
> more than one are not processed properly).

Perhaps CAs have rarely issued email certificates with multiple email 
addresses. 

> Sanity check: please validate – am I correct that having, say, two RFC822 
> email
> addresses in one cert is OK?

OpenSSL will accept multiple email SANs and with email name checks will accept
the certificate as valid so long as one of the addresses is a match.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-26 Thread Salz, Rich via openssl-users 
> A naïve question. A certificate that contains SAN attribute(s) – is there a 
> limit on how many, say, RFC822 SAN attributes can a valid certificate have? 

No.

> It’s been my understanding that a cert can contain as many SAN attributes as 
> needed, but it appears that Apple believes it has to be only one (because 
> certificates with more than one are not processed properly).

I can guess at, and understand, their reasoning -- it allows mail spoofing and 
stealing.  And the use of such certs is not common. 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How many SAN entries...?

2017-04-26 Thread Blumenthal, Uri - 0553 - MITLL 
A naïve question. A certificate that contains SAN attribute(s) – is there a 
limit on how many, say, RFC822 SAN attributes can a valid certificate have? 

 

It’s been my understanding that a cert can contain as many SAN attributes as 
needed, but it appears that Apple believes it has to be only one (because 
certificates with more than one are not processed properly).

 

Sanity check: please validate – am I correct that having, say, two RFC822 email 
addresses in one cert is OK?

— 

Regards,

Uri

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users