[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Brian Smith
brian at briansmith.org
Tue May 31 06:43:36 UTC 2016
On Mon, May 30, 2016 at 5:58 PM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:
> Name constraints in the X.509v3 PKI have not worked well, and are
> rarely used. The attack requires a issuing CA to be willing to
> issue certificates beyond its constraints, that would be quite
> noticeable and rather unwise. So I think this is not a major
> problem. We should probably make a reasonable effort to address
> this, but the urgency is I think low.
>
Not too long ago, there were changes to the CABForum rules about
certificates to make it easier for any website to get a CA certificates
constrained to its domain name. There were some problems with the loosening
of the rules, and Apple has been slow to implement name constraints, so not
many websites are taking advantage of them. But, soon, I am hopeful, and I
expect, that it will soon be as easy to get name-constrained CA certificate
as it is to get a wildcard certificates now. In fact, it is really
important for the security of many (smaller and medium-sized) websites that
this become possible, because this would make HPKP work much better and
reduce risks relative to wildcard certificates.
In particular, we should be designing things based on the assumption that
in the next few years, the owner of briansmith.org can get a CA certificate
with name constraint of dNSName=briansmith.org. Then the owner of
briansmith.org will be able to put Subject={CN=google.com} in his
certificates if he feels like it. And, we shouldn't even expect such
certificates to be revoked because they will be harmless to anybody that
does validation correctly (i.e. by either ignoring the subject CN or by
applying name constraints to the subject CN).
Is such a nuanced thing something that application developers can really be
expected to deal with on their own? I doubt it.
Cheers,
Brian
--
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160530/aeea61ca/attachment-0001.html>
More information about the openssl-dev
mailing list