On 31/01/15 01:58, Peter Bowen wrote:
On Fri, Jan 30, 2015 at 2:16 PM, Jeremy Rowley
<[email protected]> wrote:
My idea isn't fully formed yet, but...
Wildcard certs are more risky than normal certs since the CA doesn't know
exactly what they are securing. All they know is the secured base level
domain. Therefore, I think the public has a strong interest in knowing when a
wildcard cert was issued v. a standard FQDN cert. However, I'm not sure
there's much more risk to end certificate requester - they still know
everything that's been issued for their domain. It certainly doesn't make life
easier for the CT operator or CA, but it gives important information to the
relying parties looking at certs. If they look up a cert in the CT log,
they'll be able to easily identify if the entire domain is secured by the same,
logged cert.
I was thinking similarly. I propose that labels containing a "*" may
not be redacted, as the "*" effectively is redaction.
http://trac.tools.ietf.org/wg/trans/trac/ticket/56
Additionally,
if the left most label is exactly "*", then it is considered redacted
for the purposes of determining if the label to the right may be
redacted. That would allow *.?.?.example.com to be an allowable
redaction.
Good idea. I've noted this suggestion on ticket #56. Thanks Peter.
I would also recommend that the right most two labels AND any labels
making up a "public suffix" not be allowed to be redacted. I'm not
sure if this should go into 6962bis or the policy of clients,
auditors, and monitors, but the redacting these effectively nullifies
the reason for CT as far as I'm concerned.
That's what this section of the I-D attempts to address:
7.3. Redaction of Public Domain Name Labels
CAs SHOULD NOT redact domain name labels in Precertificates to the
extent that domain name ownership becomes unclear (e.g.
"(PRIVATE).com" and "(PRIVATE).co.uk" would both be problematic).
Logs MUST NOT reject any Precertificate that is overly redacted but
which is otherwise considered compliant. It is expected that
monitors will treat overly redacted Precertificates as potentially
misissued. TLS clients MAY reject a certificate whose corresponding
Precertificate would be overly redacted.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
