On Fri 2015-01-30 15:40:38 -0500, Jeremy Rowley wrote: > Although I just realized you're probably wondering if you can > substitute "?" of "*" - so *.example.com would become ?.example.com. > > It's a good question. I think there's real value in knowing whether a > wildcard cert was issued over a non-wildcard. I'd actually like the > rfc to say you can't substitute ? for a wildcard character as you're > essentially substituting ? for an unlimited number of based domain > names.
But isn't that kind of the point? If i control foo.example, and i'm
monitoring the logs to make sure no one impersonates anything in my zone
(including the apex), then i'm looking for all of the following literal
matches as suffixes:
foo.example
?.example
*.example
In particular, of course, i'm looking for entries in the logs that are
associated with public keys not under my control (i can ignore my own
entries).
Note that the first entry there also covers literal strings like:
?.foo.example
*.foo.example
If i find anything in the logs matching those suffixes, i know that my
domain name may have been hijacked, because a matching form could be
there.
It wouldn't matter to me whether it was being hijacked by someone with a
cert that says "foo.example" instead of "*.example", or "*.foo.example"
instead of "www.foo.example" -- either one is sufficient to raise an
alarm, and (because of the redaction) i wouldn't know if "?.foo.example"
was issued to "www.foo.example" or "bar.foo.example" anyway.
I still don't see why we shouldn't allow redaction of a wildcard label.
What does this restriction defend against? how does it make life easier
or better for any of the players in the CT ecosystem?
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
