omodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; jeremy.row...@digicert.com;
Peter Gutmann <pgut...@cs.auckland.ac.nz>
Subject: RE: [FORGED] Name issues in public certificates
We tested IE6/IE7/IE8 on XP sp3, and IE10/IE11 on Windows 8, all support.
Firefox 3.6.3, 38 - 42, all suppor
On 2015-11-20 17:27, Peter Bowen wrote:
On Fri, Nov 20, 2015 at 7:32 AM, Kurt Roeckx wrote:
On 2015-11-19 22:19, douglas.beat...@gmail.com wrote:
I realize I'm a little late to the game, but I had a question on the
maximum length. If I'm reading this correctly, it looks like
Yes, thanks. I had CommonName field in mind and that is limited to 64
characters but SubjectAltName is completely different when it comes to max
length (even though they both hold a FQDN).
On Friday, November 20, 2015 at 11:49:49 AM UTC-5, Kurt Roeckx wrote:
>
> For some reason I missed this
On Fri, Nov 20, 2015 at 9:28 AM, wrote:
> Yes, thanks. I had CommonName field in mind and that is limited to 64
> characters but SubjectAltName is completely different when it comes to max
> length (even though they both hold a FQDN).
I had missed that limitation
On Wednesday, November 18, 2015 at 5:43:57 PM UTC-8, Brian Smith wrote:
> Peter Bowen wrote:
>
> > 2) For commonName attributes in subject DNs, clarify that they can only
> > contain:
> >
> - IPv4 address in dotted-decimal notation (specified as IPv4address
> > from section 3.2.2 of RFC 3986)
> >
On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling wrote:
> I would also like to get clarification on if/when the underscore character
> may be used in each of the name types. Your report seems to flag
> underscores as always prohibited (I think), but I expect that some CAs
On Wed, November 18, 2015 8:56 am, Peter Bowen wrote:
> On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling
> wrote:
> > I would also like to get clarification on if/when the underscore
> > character
> > may be used in each of the name types. Your report seems to flag
> >
On Wed, Nov 18, 2015 at 10:25 AM, Ryan Sleevi
wrote:
> On Wed, November 18, 2015 8:56 am, Peter Bowen wrote:
>> On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling
>> wrote:
>> > I would also like to get clarification on if/when the
..@gmail.com]
Sent: Wednesday, November 18, 2015 10:28 AM
To: Richard Wang <rich...@wosign.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
<pgut...@cs.auckland.ac.nz>
Subject: Re: [FORGED] Name issues in public
2:12 PM
To: Jeremy Rowley
Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen;
Peter Gutmann
Subject: Re: [FORGED] Name issues in public certificates
On 17/11/15 18:27, Jeremy Rowley wrote:
Encoding an IP Address in a dNSName is not permitted by the
Peter Bowen wrote:
> 2) For commonName attributes in subject DNs, clarify that they can only
> contain:
>
- IPv4 address in dotted-decimal notation (specified as IPv4address
> from section 3.2.2 of RFC 3986)
> - IPv6 address in coloned-hexadecimal notation (specified as
>
On Tue, Nov 17, 2015 at 4:40 PM, Richard Wang wrote:
> So WoSign only left IP address issue that we added both IP address and DNS
> Name since some browser have warning for IP address only in SAN.
>
Put the IP addresses in the SAN as an iPAddress and then also put them in
On Wed, Nov 18, 2015 at 5:43 PM, Brian Smith wrote:
> Peter Bowen wrote:
>>
>> 2) For commonName attributes in subject DNs, clarify that they can only
>> contain:
>>
>> - IPv4 address in dotted-decimal notation (specified as IPv4address
>> from section
to:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Rob Stradling
Sent: Tuesday, November 17, 2015 9:32 PM
To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Peter Bowen
<pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: [FORGED] Name
-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Rob Stradling
Sent: Tuesday, November 17, 2015 9:32 PM
To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Peter Bowen
<pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: [FORGED] Name issu
+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Rob Stradling
Sent: Tuesday, November 17, 2015 10:40 AM
To: Peter Bowen
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
Subject: Re: [FORGED] Name issues in public certificates
On 17/11/15 16:25, Peter Bowen wrote:
>>- R
..@cs.auckland.ac.nz>; Peter Bowen
> <pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: [FORGED] Name issues in public certificates
>
> On 17/11/15 08:25, Peter Gutmann wrote:
>> Peter Bowen <pzbo...@gmail.com> writes:
>>
>>&g
On 17/11/15 16:25, Peter Bowen wrote:
- RFC5280 sections 7.2 and 7.3 do indeed talk about the need for dNSNames,
domainComponents, etc, to only contain ASCII data. However, your report
also flags Subject CNs with non-ASCII data - AFAICT, this is permitted by
both RFC5280 and the BRs. It is
On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote:
>
> Great. I tried importing the list into postgres but I couldn't persuade it
> to accept the invalid character encodings, so I gave up.
When importing data in my postgres database I leave the fields
NULL in case I really can't do
On Tue, Nov 17, 2015 at 2:40 PM, Rob Stradling wrote:
> On 17/11/15 17:54, Kurt Roeckx wrote:
>>
>> On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote:
>>>
>>>
>>> Great. I tried importing the list into postgres but I couldn't persuade
>>> it
>>> to accept
On 17/11/15 22:47, Peter Bowen wrote:
I've uploaded the original CSV file to
https://s3-us-west-2.amazonaws.com/pzb-public-files/invalid-dnsname.csv
I suspect it might work better than the CSV -> Google Sheets -> TSV path.
Thanks,
Peter
Thanks Peter.
--
Rob Stradling
Senior Research &
On 17/11/15 17:54, Kurt Roeckx wrote:
On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote:
Great. I tried importing the list into postgres but I couldn't persuade it
to accept the invalid character encodings, so I gave up.
When importing data in my postgres database I leave the
er 17, 2015 2:12 PM
> To: Jeremy Rowley
> Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen;
> Peter Gutmann
> Subject: Re: [FORGED] Name issues in public certificates
>
> On 17/11/15 18:27, Jeremy Rowley wrote:
>> Encoding an IP Address in a dNSName i
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Tuesday, November 17, 2015 2:12 PM
To: Jeremy Rowley
Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen;
Peter Gutmann
Subject: Re: [FORGED] Name issues in public certificates
On 17/11/15 18:27, Jeremy Rowley
Richard Wang <rich...@wosign.com>
> Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann
> <pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: [FORGED] Name issues in public certificates
>
> On Tue, Nov 17, 2015 at 6:12
la.org
Subject: Re: [FORGED] Name issues in public certificates
On Tue, Nov 17, 2015 at 6:12 AM, Richard Wang <rich...@wosign.com> wrote:
> I also found some mistakes for the list:
> 1. I see some client certificate in the report that it say the email
> as common name is wrong;
I filter
: Wednesday, November 18, 2015 10:28 AM
To: Richard Wang <rich...@wosign.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
<pgut...@cs.auckland.ac.nz>
Subject: Re: [FORGED] Name issues in public certificates
Rich
Peter Bowen writes:
>There are a couple of rules that may create false positives, so please don't
>assume every certificate on the sheet is problematic.
That's still pretty scary, nearly 50,000 names from a who's-who of commercial
CAs. Yet more evidence that, like the output
...@comodo.com]
Sent: Tuesday, November 17, 2015 2:12 PM
To: Jeremy Rowley
Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen;
Peter Gutmann
Subject: Re: [FORGED] Name issues in public certificates
On 17/11/15 18:27, Jeremy Rowley wrote:
> Encoding an IP Address in a dNSN
29 matches
Mail list logo