Re: [apache-ssl] Newbie Questions

To: apache-ssl@lists.aldigital.co.uk
Subject: Re: [apache-ssl] Newbie Questions
From: Adam Laurie <adam@algroup.co.uk>
Date: Sun, 05 Jul 1998 09:16:18 +0100
Delivered-to: mailing list apache-ssl@lists.aldigital.co.uk
Mailing-list: contact apache-ssl-help@lists.aldigital.co.uk; run by ezmlm
Organization: http://www.apache-ssl.org
References: <2.2.16.19980704155714.2a070018@mail.scl.co.uk>
Reply-to: apache-ssl@lists.aldigital.co.uk

John Sutton wrote:
> 
> At 09:48 04/07/98 +0100, you wrote:
> >> 5) I read somewhere that I can get a Thawte certificate (maybe anybody's
> >> cert?) associated with a wildcard domain name e.g. *.SCL.co.uk.  If that's
> >> the case it surely makes sense to do it so that I can play around with the
> >> names later on if necessary.  Are there any drawbacks to doing that?
> >
> >Technically no, but you are obviously downgrading the level of trust
> >that one can apply to the cert - you are using a generic 'site' cert, as
> >opposed to one for that particular server, and that introduces an
> >elelement of doubt into the trust equation. And no, you can't get
> >anybody's - Versign, for example, specifically disallow 'special'
> >characters.
> 
> I'm a bit foxed by that response.  I can see your point about "downgrading
> the level of trust" _in_the_abstract_ but the nuts'n'bolts elude me!  I
> don't understand at what point in the whole process the domain name against
> which the certificate is issued is actually referenced. This domain name is
> presumably embedded in the certificate, and at some point (or points) this
> name is compared to.... some other name...  But which name, and by what, and
> when???  If that's too darn complicated to explain, perhaps someone could
> point me at some documentation.

It was the abstract to which I was referring - as I said, there are no
technical drawbacks (that I can think of)... However, if a user examines
your cert, (s)he will gain a lesser degree of comfort from something
that says '*.thing' than from 'specific.thing'. Since domains are not
tied to IP networks, and can therefore be anywhere, it is much easier to
hijack '<something>.thing' than 'this.particular.machine.thing' (and
before anyone jumps in and points out that if I can subvert the DNS of
<something>.thing, I could also do 'this.particular.machine.thing', my
point is that a new DNS entry could go unnoticed for much longer than a
changed one.). A 'trusted' '*.thing' cert is, therefore, a dangerous
thing to have lying around.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers

References:
- Re: [apache-ssl] Newbie Questions
  - From: John Sutton <list@scl.co.uk>

Prev by Date: Re: [apache-ssl] Newbie Questions
Next by Date: Re: [apache-ssl] Newbie Questions
Previous by thread: Re: [apache-ssl] Newbie Questions
Next by thread: Re: [apache-ssl] Newbie Questions
Index(es):
- Date
- Thread