[EMAIL PROTECTED] wrote: > On Jun 9, 2:55 pm, Michael Ströder <[EMAIL PROTECTED]> wrote: >> I really wonder what makes a host name an "unqualified hostname"? > > One workable definition is a host name without a dot "." (ignoring any > trailing dots).
This would exclude issuing certs for a top-level hostname. This could be a valid assumption though. >> No doubt that https://www/looks like a valid example to us humans. But >> how about https://com/(top-level domain)? > > It doesn't really matter what looks like a valid host name to humans. That's exactly what I meant. ;-) > What matters is the policy under which certificates are issued. If a > CA is willing to issue certs for "com" or "www" to anyone, then the > certificate does not guarantee who you're talking to. It depends: If the CA states that the hostname MUST be a fully-qualified domain name then even a hostname without a dot has a well-defined meaning without extra magic. >> As I noted in a previous >> posting technically you can't tell without actually trying to lookup a >> hostname in DNS (without search suffix automagic). > > It doesn't matter what DNS tells you. But it does matter what the browser asks for. > In this threat model, DNS is under the control of the attacker. Yes. > What matters is what the browser > can deduce from the CA's signature on the certificate. But the browser does the connect based on DNS resolving. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto