end users managing trust databases (was: Re: Wildcard certs?)
* Kyle Hamilton wrote on Fri, Jul 23, 2010 at 20:06 -0700: There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. One of those `we verify by plain text mail and secure by 2048 bit RSA' CAs? (Cool is the idea to send an email to mydomain.com before creating a certificate to protect against mydomain.com domain name spoofing; if the attacker spoofed DNS already, she can request a certificate and automatically get the verification mail send to the spoofed domain). Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Could it happen if someone removed the certificate from the lists of trusted CAs that it would be reinstalled? I just checked my WinXP workstation and I don't find it, but I cannot check after each winupdate... Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. Because of this, unfortunately, end users have almost no chance to correctly perform their trust management. It is not transparent what tool uses which trust database - and it is even updated automatically. But on the other hand, most users don't even know what all this is about. Even banks tell their customers, seeing some small lock icon already means `secure'... oki, Steffen ---[end of message]8=== About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Le vendredi 23 juillet 2010 22:06:44, Kyle Hamilton a écrit : There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org I was meaning, for my openssl local installation how i may do the request? shall i put *.mydomain.com in dn? or what __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Yes set the Common Name field to *.yourdomain.com On Sat, Jul 24, 2010 at 2:45 AM, Luis Daniel Lucio Quiroz luis.daniel.lu...@gmail.com wrote: Le vendredi 23 juillet 2010 22:06:44, Kyle Hamilton a écrit : There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org I was meaning, for my openssl local installation how i may do the request? shall i put *.mydomain.com in dn? or what __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Well, your question was who i must do request for... that's why we gave you links for outside CAs. If you are dealing with your own CA, then using a wildcard character in the DN will do the job. -- Mounir IDRASSI IDRIX http://www.idrix.fr Le vendredi 23 juillet 2010 22:06:44, Kyle Hamilton a écrit : There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org I was meaning, for my openssl local installation how i may do the request? shall i put *.mydomain.com in dn? or what __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Wildcard certs?
Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
RE: on the security of wildcard certs (was: self-signed SSL certificates and trusted root certificate)
Hi Jeff, -Original Message- From: Jeffrey Walton Hi Patrick, I'm afraid I don't get your point. (1) Wild carding violates the Principle of Least Privilege. I can't see that any endpoint in the communication gets more privilege than necessary when I equip my host with a wildcard cert. In case your host is not only server, but also client and needs to authenticate itself against another server, then that's something else. You shouldn't equip a client with a wildcard cert and do strong authentication. But that wasn't the scenario we were talking about. (2) A certificate binds a public key to an entity such as a user or host. I claim using a wild card certificate to attest to all hosts in a domain violates the trust. In this case, why bother purchasing a wild card certificate from VeriSign or Comodo when you can say, We self-signed, Trust Us. In my minds, eye, both instill the same level of confidence. I beg to disagree. A public CA verifies the identity of the company, of the applicant, his relation to the company and that the company indeed own the claimed domain. Nothing of that is verified if you use a self signed certificate or play CA yourself. So you indeed have very different levels of confidence. Plus that's all the customer needs to know: The owner of the corresponding private key is indeed the owner of the domain in question. Trustwise, whether the host's name is a or b is of no relevance to the customer. All he wants to be sure of is that he is indeed talking to a host of the service provider that he intends to talk to. And a wildcard cert is giving him this trust. (3) Moxie's BlackHat presentation used the wild card feature to achieve his goals (see around slide 90 where he states, Get a domain-validated SSL wildcard cert...). But as said before, this is of no relevance here, because just because he is using a wildcard cert in his attack doesn't make deploying a wildcard cert on a server any less secure than a non-wildcard one, neither for the service provider, nor for the customer. As Rene has pointed already out, Moxie's presentation was about security weaknesses in browsers at the time of his talk or even earlier, not about security weaknesses in wildcard certs. So security-wise, I still can't see the major drawbacks you were talking about Apparently we have different security postures. So far you only claimed there is a security difference between wildcard and non-wildcard certs, but failed to demonstrate it. Renee and I gave you attack-scenarios that actually have the same security level and consequences in case of compromise when using wildcard and non-wildcard certs. Why don't you put your scenario on the table, so we can have a look at it? Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Doubts about wildcard certs (*.mydomain.com)
Hi, Are there any constraints about wildcard certs usage? Do I need to inform the F.Q.D.N. I will use in the SAN? All the browsers know how to handle them? Can you point me any docs about this type of cert? Thanks, Andre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs vs. base name
John Nagle schrieb: Question: Is a certificate for *.example.com considered valid for example.com? OpenSSL seems to say no, but Firefox 2 says yes. Try https://stanford.edu; for a test. IIRC OpenSSL does not accept wildcards at all in s_client. The library itself does not make any decision wether a name in a certificate matches the (host-)name the application tried to connect to. Browsers seem to handle wildcards differently, see http://wiki.cacert.org/wiki/WildcardCertificates for some compiled information about the topic. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] Wildcard certs vs. base name
Hodie pr. Id. Nov. MMVIII est, John Nagle scripsit: Question: Is a certificate for *.example.com considered valid for example.com? No. *.example.com could at most be reduced to .example.com, but the first . can't be suppressed. OpenSSL seems to say no, but Firefox 2 says yes. Try https://stanford.edu; for a test. The certificate sent by this site has a subjectAlternativeName extension: X509v3 Subject Alternative Name: DNS:*.stanford.edu, DNS:stanford.edu And this satisfies Firefox. RFC 2459 doesn't discuss wildcards. I haven't paid 73 CHF to access the X.509 standard at http://www.itu.int/rec/T-REC-X.509-200508-I/en;. RFC2459 is waaa obsolete, it has been replaced by RFC3280, and then by RFC5280. It can't discuss wildcards, since it's an SSL-only use case. Same goes for the X.509 standard (which is free to download in PDF format). -- Erwann ABALEA [EMAIL PROTECTED] - Jesus saves! Passes to Moses, he shoots. He SCORES! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Wildcard certs vs. base name
Question: Is a certificate for *.example.com considered valid for example.com? OpenSSL seems to say no, but Firefox 2 says yes. Try https://stanford.edu; for a test. RFC 2459 doesn't discuss wildcards. I haven't paid 73 CHF to access the X.509 standard at http://www.itu.int/rec/T-REC-X.509-200508-I/en;. John Nagle SiteTruth __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
