[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Viktor Dukhovni
openssl-users at dukhovni.org
Tue May 31 15:03:32 UTC 2016
On Tue, May 31, 2016 at 02:49:05PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> >Could you explain your point in more detail than putting "wrong"
> >in bold text? Though ad-hoc, it seems about the best one can do,
> >absent additional information.
>
> IMHO allowing CN to be interpreted as a DNS name would open a new attack
> surface by making more name collisions (between people and host names)
> possible.
That genie is already out of the bottle, see RFC6125 references
upthread. What's under discussion is extending DNS nameConstraints
to the CN, *given* that it is already often used in name checks.
Nobody is proposing using CN in name checks where it is not already
in use.
--
Viktor.
More information about the openssl-dev
mailing list