[cabfpub] EV Wildcards

Fri Mar 20 14:29:34 UTC 2015

If I'm understanding your scenario correctly Bruce, it seems clear cut to me that the current EV requirements would have prevented that scenario.

Say I owned example.com and wanted to get an EV certificate to use for several high profile sites I run:
www.example.com<http://www.example.com>
login.example.com
images.example.com

Now suppose someone bad stole my key and I didn't know about it.  Under the current EVG guidelines, the only sites that person could use that key to impersonate are the 3 I mentioned.  That's certainly very bad; they could be MITMing my sites.

But now let's say I had gotten an EV cert for *.example.com instead.  Now I've opened up a new class of attack: the bad person could set up "othersite.example.com" and impersonate my company and there would be no way for me to know that rogue site even exists.  So I'm not sure how this reduction in security should be weighed against other arguments (i.e. allowing wildcards for EV could improve security by increasing its adoption) but it seems clear that it does reduce security in that type of scenario.

Regards,
Tim

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Friday, March 20, 2015 10:02 AM
To: Jeremy Rowley
Cc: CABFPub
Subject: Re: [cabfpub] EV Wildcards

My main point is that adding wildcard will provide same-ness with OV/DV without increasing security. This may appear to be a change for marketing purposes and not for security issues. I think that it is hard to increase security, so we need to be careful if we are planning to reduce it.

Bruce.

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, March 20, 2015 9:51 AM
To: Bruce Morton
Cc: Ryan Sleevi; CABFPub
Subject: Re: [cabfpub] EV Wildcards

It seems awfully speculative to say EV would have prevented this under the current EV requirements.

Bruce Morton <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>> wrote:
Here is my recollection from an event.

We were informed that a site with a certificate we issued was blacklisted. We informed the customer which had a wildcard certificate and they had a site which they did not know about. Not sure if it was an internal attack or how it was posted. The result was not that we had a bad subscriber, but we had a subscriber which was attacked, but did not know it yet.

Bruce.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, March 20, 2015 9:31 AM
To: Bruce Morton
Cc: CABFPub; jeremy rowley
Subject: Re: [cabfpub] EV Wildcards

On Mar 20, 2015 6:27 AM, "Bruce Morton" <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>> wrote:
>
> Hi Jeremy,
>
>
>
> Thanks for bringing this up. Our position is that we would like EV certificates to be better than OV and DV. I think that was what we tried to do when the original specification was created.
>
>
>
> We believe that wildcard certificates have a higher security risk. Another example of a risk is that if a subscriber wants to protect 10 subdomains then a wildcard certificate can be used. But what if an attacker adds an 11th subdomain, then the certificate can still be used. Seems like a risk we can avoid with the current EV spec.
>
>
>
> As such, based on this risk and other examples which have been brought up, we would not be in favor of adding wildcard to EV.
>
>
>
> Thanks, Bruce.

Hi Bruce,

I am having trouble understanding your attack scenario. Could you elaborate on what it means for an attacker to add a subdomain - how that might happen and what might be done by an attacker who could?

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/026e538a/attachment-0003.html>