Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Wow. I knew the problem is, when you issue the "secondary" certificate, data you put into CN/DN/etc fields is completely out of CA control, so they don't do this to prevent anyone from issuing a valid certificates for arbitrary domain names, but didn't knew there is a standard on putting the constraints on the names. Your post made me research a bit so... thanks!
- So, in theory, there's a way to issue you a certificate that you can use to sign others, but only for the domain you have in control: https://tools.ietf.org/html/rfc5280#section-4.2.1.10. Unfortunately, it seems that - thanks to OpenSSL - this standard is dead and just can't be used in a real world: http://blog.codekills.net/2012/04/08/adventures-in-x509-the-utterly-ignored-nameconstraints/
- The sad thing is, as I understand it, even though the constraints are set as "critical" (that is, "either you support this option or you must fail") they're ignored, so it's pointless to OpenSSL/LibreSSL to fix the issue. I may be wrong, though.
- BTW, your blog's auth is broken. Trying to authenticate through either WordPress or Twitter redirects back to HTTPS URL and the certificate's only valid for *.wordpress.com. Had to verify the key to match the one for wordpress.com by hand. ;)
- ADDED: And even after this I only got a message "Sorry, this comment could not be posted." :(
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement