On Monday 23 May 2005 12:34, Duane wrote: > Ian G wrote: > > And what does Firefox do when it sees a *.com > > cert? If it is acceptable as a cert, then I'd strongly > > suggest looking closely at how to reveal this very > > powerful cert in the status bar. > > I actually made this point the other day, say someone issues the chinese > govt a cert for "*" what security benefit is there in seeing the host > name...
Hmm, ok so you are suggesting it is possible, as a legal cert? And that browser will happily accept it? It is corner cases like this that make the security model work well. And make security work fun :-) As the cert * does not include a domain, by definition, then logically if not by cert rules it should be considered to be a self-signed cert. That is you could get the same logical effect by issuing a self-signed cert on the fly for each new domain name seen. Then, logically, a *.TLD cert indicates a valid wildcard range of addresses, and is therefore an identity, albeit a broad one. But, given that CAs who have nothing to do with TLDs can then issue a wildcard covering an entire TLD, I'd be inclined to say that a political not technical decision should be made that a *.TLD be treated as a special case that gets a special treatment. Obviously, if China decides to buy a wildcard cert for its Great Firewall, this is an entirely valid wildcard and an entirely valid use of PKI within the technical domain. Only in the political domain would this raise some interesting discussions. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
