On 05/30/2016 08:58 PM, Viktor Dukhovni wrote: > Name constraints in the X.509v3 PKI have not worked well, and are > rarely used. The attack requires a issuing CA to be willing to > issue certificates beyond its constraints, that would be quite > noticeable and rather unwise. So I think this is not a major > problem. We should probably make a reasonable effort to address > this, but the urgency is I think low.
The priority may be higher than that, because of something that has not yet been mentioned in this discussion: The nameConstraints protect the issuing CA, not just the relying parties. Here's the scenario: I persuade 1000 of my closest friends to accept my mumble.com CA as a trusted root. I offer them the assurance that: The root cert is name-constrained, and therefore affects only their interactions with *.mumble.com, so it's not very dangerous. [1] The first problem is that if openssl does not implement nameConstraints properly, my assertion [1] is false. This leads to a second problem: My cert-issuing machine becomes a much juicier target. If anybody pwns my machine, then /every/ cert-based activity of /every one/ of my friends is compromised, via the nameConstraints bypass bug. The problem does not revolve around me intentionally doing something unwise; it involves a bad guy stealing from me and then doing something nasty. So it seems the priority / prevalence argument is at best circular: People would use the feature a lot more if they could trust it to do the right thing. As Fred Smith once said, you don't judge the importance or the optimal size of the proposed bridge according to the number of people seen driving across the river before the bridge is built. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
