On Tuesday 24 May 2005 15:03, Nemeth, Valentin wrote: > Hi Ian, Hi Valentin!
> > Then, logically, a *.TLD cert indicates a valid > > wildcard range of addresses, and is therefore > > an identity, albeit a broad one. But, given that > > CAs who have nothing to do with TLDs can > > then issue a wildcard covering an entire TLD, > > I'd be inclined to say that a political not technical > > decision should be made that a *.TLD be treated > > as a special case that gets a special treatment. > > Any decent CA should block a *.tld cert, even a *.d1.tld as well, where d1 > is a 'generic one'. For example it would be almost just as bad to issue > *.co.uk or *.com.au as *.net. The list of these domains is pretty long and > isn't exactly static. OK, so your answer is the browser doesn't need to do anything about it because it can just trust CAs to do the job. I can see that it will be tough to get past that ! Consider this. Imagine you are Verisign, you are Boss, CEO and President as well as major stockholder. Imagine I am Chairman I Ang of the Chinese Republic of Middle Earth. I also happen to be the Chief of staff of the PLA, the legal and sovereign owner of .CN. Let's say I'm also a nice guy, an honourable parent, and I have pretty daughters too. I come to you and say, Boss Valentin, I will award you a 99 year lease on all certificate operations in China as long as you can issue me the *.CN certificate. This is a perfectly valid PKI request. In technical and standards terms, this has to be acceptable. What's your answer? If your answer is anything other than "where do I sign!!!!" why would that be? Why are you declining a request from the rightful and sovereign owner for a certificate over their domain? And have you considered the likely response of the other 99 CAs out there? Luckily this is a hypothetical problem ... We aren't those people, and I'm such a bad father I don't have any daughters :-) But the browser might need to answer this regardless of how nice we are. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
