<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">In case someone wants to play with the
certificates produced by Ben from GlobalSign, they're attached to
this mail.<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
Le 17/07/2013 19:52, Erwann Abalea a écrit :<br>
</div>
<blockquote cite="mid:51E6D9D1.2010706@keynectis.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Bonjour,<br>
<br>
Reading the X.509 standard (8.4.2.2 and Annex G):<br>
<ul>
<li>SSL1.cer is invalid because it has a SAN/dnsName
containing "anything.example.com" and its issuer CA has a
NameConstraints only allows dnsNames ending in
"onlythis.com"; could you produce certificates with matching
names ("google.com"/"onlythis.com")?<br>
</li>
<li>SSL2.cer is invalid for the same reason.</li>
<li>SSL3.cer is valid ("C=US, ST=MA, L=Boston, O=Example LLC,
O=Google, CN=*.google.com" is a subordinate of "C=US, ST=MA,
L=Boston, O=Example LLC", which is the only permitted
directoryName form, and the EE cert doesn't contain a SAN
extension).</li>
</ul>
I tried to find equivalent tests in PKITS, with no luck (the
closer I get is with a NC permitting a DN and an rfc822Name, and
the EE has its email in the SAN, not in the subject).<br>
<br>
<br>
Testing with real browsers gives:<br>
<ul>
<li>FF22.0, SSL1.cer, SSL2.cer, SSL3.cer: NOK<br>
L'autorité de certification pour ce certificat n'est pas
autorisé à délivrer un certificat avec ce nom.<br>
(Code d'erreur : sec_error_cert_not_in_name_space)</li>
<li>IE8/XPSP3, SSL1.cer, SSL2.cer, SSL3.cer: NOK<br>
Le certificat de sécurité présenté par ce site Web a été
émis pour une autre adresse de site Web.</li>
<li>I guess that Chrome and Safari will produce the same
result on that platform.<br>
</li>
<li>Opera12.15/XPSP3, SSL1.cer, SSL2.cer: NOK<br>
Connexion sécurisée: erreur fatale (47)<br>
</li>
<li>Opera12.15/XPSP3, SSL3.cer: OK (owner is shown as
"*.google.com, Example LLC, Google")</li>
<li>OpenSSL-based clients, SSL1.cer, SSL2.cer: NOK<br>
Verify return code: 47 (permitted subtree violation)</li>
<li>OpenSSL-based clients, SSL3.cer: OK</li>
</ul>
<br>
It seems FF and CAPI (XPSP3) consider that the CN is to be
validated as a dnsName and not part of the directoryName
(whence, it's validated against NC.PermittedSubTrees.dnsName
instead of NC.PermittedSubTrees.directoryName). This behaviour
isn't mentioned in RFC5280 either, but it's logical (legacy use
of email addresses in the subjectName is also mentioned in
RFC5280, and the same kind of treatment regarding NC extension
is proposed). However, I don't know if that behaviour is the
result of heuristics (does the CN look like a FQDN?), and how
all this will work with internationalized domain names. There's
room for failures.<br>
<br>
Opera uses OpenSSL, clearly, and they both follow X.509 to the
letter.<br>
<br>
I don't have anything more recent than XPSP3 as a VM, sorry.<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
Le 17/07/2013 17:09, Ben Lightowler a écrit :<br>
</div>
<blockquote
cite="mid:243101ce82ff$a02cb940$e0862bc0$@globalsign.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Erwann,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Steve asked me to put together some
example certificates based on your concerns surrounding Name
Constraints please find a zip attached with a Root and
Issuing CA, as well as three SSL certificate created to your
specifications in the examples you gave earlier.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hope this helps,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="line-height:115%"><b><span
style="color:#1F497D;mso-fareast-language:EN-GB">Ben
Lightowler<o:p></o:p></span></b></p>
<p class="MsoNormal" style="line-height:115%"><span
style="font-size:10.0pt;line-height:115%;color:#1F497D;mso-fareast-language:EN-GB">Sales
Engineer</span><b><span
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p>
<p class="MsoNormal" style="line-height:115%"><b><span
style="font-size:4.0pt;line-height:115%;color:#1F497D;mso-fareast-language:EN-GB"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="line-height:115%"><b><span
style="color:#1F497D;mso-fareast-language:EN-GB">GlobalSign<o:p></o:p></span></b></p>
<p class="MsoNormal" style="line-height:115%"><span
style="font-size:10.0pt;line-height:115%;color:#1F497D;mso-fareast-language:EN-GB">+44
(0) 1622 766766 <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span
style="font-size:10.0pt;line-height:115%;color:#1F497D;mso-fareast-language:EN-GB"><a
moz-do-not-send="true"
href="http://www.globalsign.co.uk/"><span
style="color:blue">www.globalsign.co.uk</span></a> | <a
moz-do-not-send="true" href="http://www.globalsign.eu/"><span
style="color:blue">www.globalsign.eu</span></a> <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span
style="font-size:4.0pt;line-height:115%;color:#1F497D;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span
style="color:#1F497D;mso-fareast-language:EN-GB"><img
id="Picture_x0020_1"
src="cid:part3.09010308.09090207@keynectis.com"
alt="Description: Description:
secured-by-globalsign.gif" border="0" height="63"
width="171"></span><span
style="font-size:4.0pt;line-height:115%;color:#7F7F7F;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><b><span
style="font-size:4.0pt;line-height:115%;color:#404040;mso-fareast-language:EN-GB"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="line-height:115%"><span
style="font-size:7.5pt;line-height:115%;color:#1F497D;mso-fareast-language:EN-GB">Springfield
House, Sandling Road, Maidstone, Kent, ME14 2LP, UK. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:7.5pt;color:#1F497D;mso-fareast-language:EN-GB">Tel:
+44 1622 766766 Fax: +44 1622 662255<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:EN-GB"><img
id="Picture_x0020_8"
src="cid:part4.04000303.08090503@keynectis.com"
alt="Description: Description: oneclick-2" border="0"
height="75" width="450"></span><span
style="mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>