[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue May 31 14:49:05 UTC 2016
>>On May 31, 2016, at 9:54 AM, Blumenthal, Uri - 0553 - MITLL
>><uri at ll.mit.edu> wrote:
>>
>>> As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif
>>>there is no subjectAltName extension and iif the CN is a valid
>>>dNSNa/iPAddress syntactically.
>>
>> That approach seems wrong.
>
>Could you explain your point in more detail than putting "wrong"
>in bold text? Though ad-hoc, it seems about the best one can do,
>absent additional information.
IMHO allowing CN to be interpreted as a DNS name would open a new attack
surface by making more name collisions (between people and host names)
possible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4324 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160531/d804e8b2/attachment.bin>
More information about the openssl-dev
mailing list