On 08/08/13 22:08, Yoav Nir wrote: > On Aug 8, 2013, at 11:57 PM, Chris Palmer <[email protected]> wrote: > >> On Thu, Aug 8, 2013 at 1:42 PM, Yoav Nir <[email protected]> wrote: >> >>> If you go to https://www.iana.org, you get the following certificate chain: >>> - *.iana.org >>> - Go Daddy Secure Certification Authority >>> - Go Daddy Class 2 Certification Authority >>> >>> So without any registry, you can pin to "Go Daddy Class 2 Certification >>> Authority". But the next time IANA needs to get a certificate (August >>> 2016), even if they get it from Go Daddy, they might get it from the other >>> root CA ("Go Daddy Root Certificate Authority - G2"), which signs with >>> SHA-256, and who knows, by then they might have a new one, perhaps with >>> ECDSA. As a customer, you talk to a vendor. Most customers don't know which >>> TA is actually going to be used. In some cases (Symantec) there are very >>> many of them. >>> >>> Someone needs to map "Symantec" to a list of pins, and IMO that someone is >>> neither the IETF nor IANA. >> Insane idea (yes, I know it is insane): What if we chose not to have a >> registry, and let people use substrings of issuer certificate >> CNs/OUs/whatevers as trust anchor set names? > Substring??? RegExp!! :-) > >> Obvious problems: >> >> * character set encoding in the HTTP header vs. in the X.509 >> certificate: Welcome To Fun-Land, Where Fun Is Not Very Fun(TM) >> * silly substrings, like "Go" matching both "...Go Daddy..." and >> "...Google Internet Authority..." and "...Evil Bad People (Goats)..." >> * substitution characters: should "Securite" match "...Sécurité Réseau..." ? >> >> I'm sure we can all think of more problems… > Sure. > > Symantec has done a lot of mergers and acquisitions, including of Verisign, > which also did its share of mergers and acquisitions. So that now, Symantec > has root CAs with brand names Symantec, Verisign, Thawte, and probably > several others that I have forgotten. The chances of misconfiguration and > bricking yourself with a new certificate are rather high. > > Yoav >
<no hats> Actually, I think the chances of bricking yourself are reasonably low/ok. 1. Consider that the CA must have the responsibility to inform the website about any name changes of its organisation. 2. the name change of the cert only hits you when you get a new cert from the organisation, as the name in your existing cert is still the old one (old signing CA). 3. Before adding a new individual cert you need to phase out the old, by using the dual pin (or dual name). So I think the technical requirements are reasonably low to make this work. And if people don't feel they are capable to do so, they can stay with the normal pin to individual certs. Just my 5cents, Tobias
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
