Advertisement
Guest User

Comment

a guest
Jan 14th, 2015
122
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.32 KB | None | 0 0
  1. Wow. I knew the problem is, when you issue the "secondary" certificate, data you put into CN/DN/etc fields is completely out of CA control, so they don't do this to prevent anyone from issuing a valid certificates for arbitrary domain names, but didn't knew there is a standard on putting the constraints on the names. Your post made me research a bit so... thanks!
  2.  
  3. So, in theory, there's a way to issue you a certificate that you can use to sign others, but only for the domain you have in control: https://tools.ietf.org/html/rfc5280#section-4.2.1.10. Unfortunately, it seems that - thanks to OpenSSL - this standard is dead and just can't be used in a real world: http://blog.codekills.net/2012/04/08/adventures-in-x509-the-utterly-ignored-nameconstraints/
  4.  
  5. The sad thing is, as I understand it, even though the constraints are set as "critical" (that is, "either you support this option or you must fail") they're ignored, so it's pointless to OpenSSL/LibreSSL to fix the issue. I may be wrong, though.
  6.  
  7.  
  8. BTW, your blog's auth is broken. Trying to authenticate through either WordPress or Twitter redirects back to HTTPS URL and the certificate's only valid for *.wordpress.com. Had to verify the key to match the one for wordpress.com by hand. ;)
  9.  
  10. ADDED: And even after this I only got a message "Sorry, this comment could not be posted." :(
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement