<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 09/10/2013 08:13 PM, From Jeremy Rowley:
<blockquote cite="mid:007501ceae49$155fab40$401f01c0$@digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I know we’ve
performed similar (non-malicious) experiments with DV certs
to see how easy it would be to phish a banking domain. It’s
pretty easy. I think this is a good launching point to
discuss how we can improve the BRs in a manner that prevents
these types of phishing attacks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
In this respect I have a hot topic I'm supposed to check with the
CAB Forum, this comes convenient....<br>
<br>
From time to time we get requests for certificates that contain
possible domains within the host name, for example:<br>
<br>
<i>domain.com.dom.net</i><br>
<br>
Now we have made an effort to disallow this practice as much as
possible recently because it could be easily abused:<br>
<br>
<i>paypal.com.dom.net</i><br>
<br>
Or to make it more obvious:<br>
<br>
<i><a class="moz-txt-link-freetext"
href="https://www.paypal.com.some.net/us/cgi-bin/webscr?cmd=_flow&SESSION=KKIncv649JDbg">https://www.paypal.com.some.net/us/cgi-bin/webscr?cmd=_flow&SESSION=KKIncv649JDbg</a></i><br>
<br>
As it happens, some CAs issue such potentially confusing
certificates and we ourselves get every while requests for them. In
particular also from companies that provide or want proxy services
and in order to mask the names as much as possible it looks
something like this (this is from a real request):<br>
<br>
*.sharepoint.com.some.com *.microsoftonline.com.some.com<br>
*.outlook.com.shamir.adallom.com *.office365.com.some.com<br>
<br>
Which again could easily confuse a relying party which might or
might not know about the MITM going on. <br>
<br>
I would like to know what the stance of the membership here is on
this topic, in particular software vendors. And if there is room to
clarify this via regulation by the BR. Otherwise there is probably
no point in punishing our clients when others or they can get it
easily elsewhere.<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
</body>
</html>