Re: Wildcard Certs

2003-06-16 Thread Stefan Kelm
Martin,

 Are wildcard certficates good? secure? useful?

There's a problem with wildcard certs wrt how URLs are being displayed in 
many of the browsers, esp. the older ones. If the host name is extremely 
long the browser will be unable to show the complete URL to the user, 
with some browsers even inserting ... into the address window.   

Now, suppose I buy a certificate for *.i-am-bad.com (assuming that I'm 
the owner of that domain). I could then set up an SSL server with a 
hostname of something like   

www.security-products.microsoft.com.order.registration.checkout.user-
support.i-am-bad.com

hoping that the browser will only display the more familiar looking parts 
of the URL to the user who in turn will happily accept the certificate.  

You get the idea.

Cheers,

Stefan.

Security Awareness Symposium - 24.-25.06.2003, Karlsruhe
http://www.security-awareness-symposium.de/

Dipl.-Inform. Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe

Tel. +49 721 6105-461, Fax +49 721 6105-455
E-Mail [EMAIL PROTECTED], http://www.secorvo.de/
---
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Wildcard Certs

2003-06-16 Thread martin f krafft
also sprach Stefan Kelm [EMAIL PROTECTED] [2003.06.16.1652 +0200]:
 Now, suppose I buy a certificate for *.i-am-bad.com (assuming that I'm 
 the owner of that domain). I could then set up an SSL server with a 
 hostname of something like   
 
 www.security-products.microsoft.com.order.registration.checkout.user-
 support.i-am-bad.com
 
 hoping that the browser will only display the more familiar looking parts 
 of the URL to the user who in turn will happily accept the certificate.  

I could also just buy a certificate with that name. While it is an
interesting point, I do not see how wildcard certificates make this
possible, or enhance it.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
 
keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html
get my key here: http://madduck.net/me/gpg/publickey
 
before he died, rabbi zusya said: in the world to come they will not
ask me, 'why were you not moses?' they will ask me, 'why were you not
zusya?'


pgp0.pgp
Description: PGP signature