Nelson B Bolyard:
The 44 DNS names don't bother me any. I'm quite willing to believe that
the issuer verified that all those domains had the same registrant.
But the 12 simple host names and the 4 routable IP addresses (each of
which appears twice) bother me.
If I go to a url such as https://12.34.56.78/ and get a page with a lock
icon claiming to be a bank or financial institution, or even a well known
merchant, what assurances has that cert actually offered me?
Likewise, if I go to https://home/ and get a "home" page for some
enterprise, what assurances have I really been offered?
Does this bother any one else ?
Should Mozilla's policy speak to any of these issues?
Host name based certificates can provide an easy attack vector for
internal networks once the host names are known to the attacker. Here we
are talking mostly about networks of organizations and seldom for public
networks. An unattended PC might be easy to manipulate and MITM. Use of
host names should be discouraged from using.
IP addresses make sense for IP block owners and usage should be
discouraged for general certificates as with the case you stated. IP
addresses can get changed frequently - specially dynamic dial up
assigned, but also in hosting environments. Therefore it's very hard to
guaranty that the specific address is still valid even days after
issuance. Block owners are somewhat different because it involves
usually longer term assignments (and contract) of the block. It also
makes sense for router equipment.
IP addresses can be validated the same way as domain names (for example
sending of email ping to [EMAIL PROTECTED]) however as stated
above, because of dial up users additional verifications should be
performed.
For internal networks, internally assigned domain names should be used,
like NETWORK = intern.domain.com with the HOST resulting in
pc.intern.domain.com where the NETWORK represents the Class C 10.0.0.0
IP and the HOST something like 10.0.0.5. Yes, this despite that MS
telling is us otherwise and use non-existing TLDs (security by
obscurity). Certificates can be legitimately issued to pc.intern.domain.com.
It bothers me not more than having domain validated certs with a
lifetime for 10 years or as you mentioned also, wild cards which are
domain validated. It all belongs to the same category of irresponsible
CA practices. And yes, I believe that Mozilla should strengthen its
policy requirements.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto