On Mon, Mar 6, 2017 at 6:48 AM, Salz, Rich <[email protected]> wrote: > Looks great, but what does viable mean in "is the only viable match" ?
For example, if a redacted name looks like '??.example.com' and the definition of '??' is "matches one or more labels", then a precert with: "dNSName:??.example.com, dNSName:??.example.com, dNSName:??.example.com" could match infinite names. On the other hand, a redacted name is "??ab347e5e.example.com" and the value after the "??" is a truncated hash, then the number of matches is much lower. Once you consider that these are dNSName, so the only valid characters are a-z, A-Z, 0-9, '-', '.', and maybe '_', the chance of two strings colliding is very low, even with a severely truncated hash. If the '??' rule is used, then a malicious CA could issue two different certificates with the same serial number, one that is "innocent" and one that has the real target name. Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
