RE: [FORGED] Name issues in public certificates

omodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; jeremy.row...@digicert.com; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: RE: [FORGED] Name issues in public certificates We tested IE6/IE7/IE8 on XP sp3, and IE10/IE11 on Windows 8, all support. Firefox 3.6.3, 38 - 42, all suppor

Re: [FORGED] Name issues in public certificates

On 2015-11-20 17:27, Peter Bowen wrote: On Fri, Nov 20, 2015 at 7:32 AM, Kurt Roeckx wrote: On 2015-11-19 22:19, douglas.beat...@gmail.com wrote: I realize I'm a little late to the game, but I had a question on the maximum length. If I'm reading this correctly, it looks like

Re: [FORGED] Name issues in public certificates

Yes, thanks. I had CommonName field in mind and that is limited to 64 characters but SubjectAltName is completely different when it comes to max length (even though they both hold a FQDN). On Friday, November 20, 2015 at 11:49:49 AM UTC-5, Kurt Roeckx wrote: > > For some reason I missed this

Re: [FORGED] Name issues in public certificates

On Fri, Nov 20, 2015 at 9:28 AM, wrote: > Yes, thanks. I had CommonName field in mind and that is limited to 64 > characters but SubjectAltName is completely different when it comes to max > length (even though they both hold a FQDN). I had missed that limitation

Re: [FORGED] Name issues in public certificates

On Wednesday, November 18, 2015 at 5:43:57 PM UTC-8, Brian Smith wrote: > Peter Bowen wrote: > > > 2) For commonName attributes in subject DNs, clarify that they can only > > contain: > > > - IPv4 address in dotted-decimal notation (specified as IPv4address > > from section 3.2.2 of RFC 3986) > >

Re: [FORGED] Name issues in public certificates

On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling wrote: > I would also like to get clarification on if/when the underscore character > may be used in each of the name types. Your report seems to flag > underscores as always prohibited (I think), but I expect that some CAs

Re: [FORGED] Name issues in public certificates

On Wed, November 18, 2015 8:56 am, Peter Bowen wrote: > On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling > wrote: > > I would also like to get clarification on if/when the underscore > > character > > may be used in each of the name types. Your report seems to flag > >

Re: [FORGED] Name issues in public certificates

On Wed, Nov 18, 2015 at 10:25 AM, Ryan Sleevi wrote: > On Wed, November 18, 2015 8:56 am, Peter Bowen wrote: >> On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling >> wrote: >> > I would also like to get clarification on if/when the

RE: [FORGED] Name issues in public certificates

..@gmail.com] Sent: Wednesday, November 18, 2015 10:28 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: Re: [FORGED] Name issues in public

Re: [FORGED] Name issues in public certificates

2:12 PM To: Jeremy Rowley Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen; Peter Gutmann Subject: Re: [FORGED] Name issues in public certificates On 17/11/15 18:27, Jeremy Rowley wrote: Encoding an IP Address in a dNSName is not permitted by the

Re: [FORGED] Name issues in public certificates

Peter Bowen wrote: > 2) For commonName attributes in subject DNs, clarify that they can only > contain: > - IPv4 address in dotted-decimal notation (specified as IPv4address > from section 3.2.2 of RFC 3986) > - IPv6 address in coloned-hexadecimal notation (specified as >

Re: [FORGED] Name issues in public certificates

On Tue, Nov 17, 2015 at 4:40 PM, Richard Wang wrote: > So WoSign only left IP address issue that we added both IP address and DNS > Name since some browser have warning for IP address only in SAN. > Put the IP addresses in the SAN as an iPAddress and then also put them in

Re: [FORGED] Name issues in public certificates

On Wed, Nov 18, 2015 at 5:43 PM, Brian Smith wrote: > Peter Bowen wrote: >> >> 2) For commonName attributes in subject DNs, clarify that they can only >> contain: >> >> - IPv4 address in dotted-decimal notation (specified as IPv4address >> from section

Re: [FORGED] Name issues in public certificates

to:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Tuesday, November 17, 2015 9:32 PM To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Peter Bowen <pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [FORGED] Name

RE: [FORGED] Name issues in public certificates

-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Tuesday, November 17, 2015 9:32 PM To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Peter Bowen <pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [FORGED] Name issu

RE: [FORGED] Name issues in public certificates

+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Tuesday, November 17, 2015 10:40 AM To: Peter Bowen Cc: mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann Subject: Re: [FORGED] Name issues in public certificates On 17/11/15 16:25, Peter Bowen wrote: >>- R

RE: [FORGED] Name issues in public certificates

..@cs.auckland.ac.nz>; Peter Bowen > <pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: [FORGED] Name issues in public certificates > > On 17/11/15 08:25, Peter Gutmann wrote: >> Peter Bowen <pzbo...@gmail.com> writes: >> >>&g

Re: [FORGED] Name issues in public certificates

On 17/11/15 16:25, Peter Bowen wrote: - RFC5280 sections 7.2 and 7.3 do indeed talk about the need for dNSNames, domainComponents, etc, to only contain ASCII data. However, your report also flags Subject CNs with non-ASCII data - AFAICT, this is permitted by both RFC5280 and the BRs. It is

Re: [FORGED] Name issues in public certificates

On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote: > > Great. I tried importing the list into postgres but I couldn't persuade it > to accept the invalid character encodings, so I gave up. When importing data in my postgres database I leave the fields NULL in case I really can't do

Re: [FORGED] Name issues in public certificates

On Tue, Nov 17, 2015 at 2:40 PM, Rob Stradling wrote: > On 17/11/15 17:54, Kurt Roeckx wrote: >> >> On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote: >>> >>> >>> Great. I tried importing the list into postgres but I couldn't persuade >>> it >>> to accept

Re: [FORGED] Name issues in public certificates

On 17/11/15 22:47, Peter Bowen wrote: I've uploaded the original CSV file to https://s3-us-west-2.amazonaws.com/pzb-public-files/invalid-dnsname.csv I suspect it might work better than the CSV -> Google Sheets -> TSV path. Thanks, Peter Thanks Peter. -- Rob Stradling Senior Research &

Re: [FORGED] Name issues in public certificates

On 17/11/15 17:54, Kurt Roeckx wrote: On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote: Great. I tried importing the list into postgres but I couldn't persuade it to accept the invalid character encodings, so I gave up. When importing data in my postgres database I leave the

Re: [FORGED] Name issues in public certificates

er 17, 2015 2:12 PM > To: Jeremy Rowley > Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen; > Peter Gutmann > Subject: Re: [FORGED] Name issues in public certificates > > On 17/11/15 18:27, Jeremy Rowley wrote: >> Encoding an IP Address in a dNSName i

RE: [FORGED] Name issues in public certificates

From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: Tuesday, November 17, 2015 2:12 PM To: Jeremy Rowley Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen; Peter Gutmann Subject: Re: [FORGED] Name issues in public certificates On 17/11/15 18:27, Jeremy Rowley

Re: [FORGED] Name issues in public certificates

Richard Wang <rich...@wosign.com> > Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann > <pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: [FORGED] Name issues in public certificates > > On Tue, Nov 17, 2015 at 6:12

RE: [FORGED] Name issues in public certificates

la.org Subject: Re: [FORGED] Name issues in public certificates On Tue, Nov 17, 2015 at 6:12 AM, Richard Wang <rich...@wosign.com> wrote: > I also found some mistakes for the list: > 1. I see some client certificate in the report that it say the email > as common name is wrong; I filter

RE: [FORGED] Name issues in public certificates

: Wednesday, November 18, 2015 10:28 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: Re: [FORGED] Name issues in public certificates Rich

RE: [FORGED] Name issues in public certificates

Peter Bowen writes: >There are a couple of rules that may create false positives, so please don't >assume every certificate on the sheet is problematic. That's still pretty scary, nearly 50,000 names from a who's-who of commercial CAs. Yet more evidence that, like the output

RE: [FORGED] Name issues in public certificates

...@comodo.com] Sent: Tuesday, November 17, 2015 2:12 PM To: Jeremy Rowley Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen; Peter Gutmann Subject: Re: [FORGED] Name issues in public certificates On 17/11/15 18:27, Jeremy Rowley wrote: > Encoding an IP Address in a dNSN