[cabfpub] Misissuance of certificates

Doug Beattie doug.beattie at globalsign.com
Mon Nov 9 16:52:59 UTC 2015



If the public can accesses a site and can view the certificate then I agree
the customer has made it public.  But, publicly trusted certificates are
also used within company firewalls on intranets.  In this case the customer
may have an expectation (right or wrong) that the certificate and the FQDNs
contained within it remain "private".  Exposing all FQDNs within internal
networks could represent a security concern as it could give attckers
information about the network they would otherwise not have.  We've received
this input when scanning internal networks for SSL certificates: customers
get twitchy about providing that info to us, never mind making is public.


We had been planning to use CT with name redaction to support making all
certificates publicly available without exposing the exact FQDNs being
secured.  When CT is mandated for all certificates there will be no choice
about whether or not to comply, but we hope name redaction is well defined
and accepted by then.  The only other alternative is to set up name
constrained CAs for every enterprise customer, which is also certainly



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Eddy Nigg
Sent: Monday, November 9, 2015 11:26 AM
To: Dean Coclin <Dean_Coclin at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates



On 11/09/2015 03:29 PM, Dean Coclin wrote:

You made a statement in another email which, if I'm remembering correctly,
said something like this: If a cert is issued from a public root, for public
domains, for use by the public, then its contents is automatically public. 

I think by definition any certificate content is meant for public
consumption, e.g. a third party that relies on it. As compared to sensitive
documents or other personal details that may be used for the verification of
a party stated in a certificate, that part wouldn't be meant for public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/2be5ea23/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/2be5ea23/attachment-0001.p7s>

More information about the Public mailing list