On 24/11/2017 13:25, Gervase Markham wrote:
On 24/11/17 11:37, Rob Stradling wrote:
When issuing a "single domain" certificate to (for example)
www.example.com or *.example.com, it's fairly common practice for CAs to
also include in the certificate a SAN.dNSName for the "base domain"
(e.g., example.com). (Similarly, if the certificate request is for
example.com, some CAs will add a SAN.dNSName for www.example.com).
IMO these two processes are not at all "similar".
Validate example.com -> add "www.example.com": seems fine to me, and a
reasonable accommodation to a common customer desire.
Validate www.example.com -> add "example.com": not at all fine.
Validate *.example.com -> add "example.com": still dodgy IMO.
I seem to remember we have come across this before, and I thought we
said it was not to be done. But perhaps that didn't make it into our
policy. Do we need to add it?
I seem to recall this was discussed in relation to WoSign or the Korean
RA for Symantec. But the discussion was about improperly using the
"validation via agreed upon website change to www.example.com implies
valid control of example.com" as "validation via agreed upon website
change to userchosensubdomain.example.com implies valid control of
example.com", thus allowing misissuance for delegated subdomains of
project hosts, universities etc.
This rule is normally limited to BR method 3.2.2.4.6 and similar, based
upon considering the specific subdomain www as having similar domain
authority as the well-known e-mail address "hostmaster@" .
However extending that logic (if acceptable for the web-site change
method) to other checks (such as CAA or whois lookup) is obviously
wrong, though one can easily imagine accidentally inserting the CAA
checking code at the wrong point in a validation procedure thus
forgetting to run it for the implied bonus SANs resulting from domain
ownership validation.
An equally probable mistake that should thus be included in test suites
is validating control of "example.com" via a strong method (such as
whois checks + EV checks + DNS change), then issuing for example.com,
www.example.com and mail.example.com without checking if there is a
contradictory CAA for one of those names. Noting that in this case
there is no requirement for those subdomains to even exist at the time
of issuance.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
