[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [sr #106474] CN in TLS certificate (savannah.*gnu
From: |
Daniel Kahn Gillmor |
Subject: |
[Savannah-help-public] [sr #106474] CN in TLS certificate (savannah.*gnu.org) is too broad -- use SubjectAltNames instead. |
Date: |
Fri, 22 Aug 2008 17:02:32 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071618 Iceweasel/3.0.1 (Debian-3.0.1-1) |
URL:
<http://savannah.gnu.org/support/?106474>
Summary: CN in TLS certificate (savannah.*gnu.org) is too
broad -- use SubjectAltNames instead.
Project: Savannah Administration
Submitted by: dkg
Submitted on: Fri 22 Aug 2008 01:02:30 PM EDT
Category: Savannah website
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Assigned to: None
Originator Email: Daniel Kahn Gillmor <address@hidden>
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
In the TLS certificate used by the savannah web site (both gnu and nongnu),
the subject DN appears to be:
/C=US/O=FSF/OU=Savannah/CN=savannah.*gnu.org/
The CN (the relevant piece checked by most TLS implementations against the
hostname of the server in the absence of the SubjectAltNames extension) is far
too broad.
If one was to accept this certification, the implication is that the holder
of this certificate could register "ihategnu.org", put up a server at
"savannah.ihategnu.org", and use the same certificate/keypair. If the CA
issuing the cert (the savannah CA? the FSF CA?) wants its certifications to
be taken seriously, it should probably avoid issuing certs with such broad
CNs.
A better strategy would be to leave the CN as savannah.gnu.org, but add the
X.509v3 SubjectAltName extension, containing two DNS names: savannah.gnu.org
and savannah.nongnu.org.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?106474>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-help-public] [sr #106474] CN in TLS certificate (savannah.*gnu.org) is too broad -- use SubjectAltNames instead.,
Daniel Kahn Gillmor <=