[13602] in cryptography@c2.net mail archive
Re: An attack on paypal
daemon@ATHENA.MIT.EDU (Matt Crawford)
Thu Jun 12 11:13:38 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Cc: sunder@sunder.net, cryptography@metzdowd.com, cypherpunks@lne.com
From: "Matt Crawford" <crawdad@fnal.gov>
In-reply-to: Your message of Thu, 12 Jun 2003 16:35:11 +1200.
<200306120435.h5C4ZB428720@medusa01.cs.auckland.ac.nz>
Date: Thu, 12 Jun 2003 09:30:17 -0500
> "Matt Crawford" <crawdad@fnal.gov> writes:
> >... Netscrape ind Internet Exploder each have a hack for
> >honoring the same cert for multiple server names. Opera seems to honor at
> >least one of the two hacks, and a cert can incorporate both at once.
> >
> > /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services
> > /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov
> > /CN=bravo.fnal.gov/CN=charlie.fnal.gov
>
> Just to clarify this, so you need a multivalued CN, with one containing the
> expression "(a|b|c)" and the remaining containing each of "a", "b", and "c"?
> Is it multiple AVAs in an RDN, or multiple RDNs? (Either of these could be
> hard to generate with a lot of software, which can't handle multiple AVAs in
> an RDN or multiple same-type RDNs). Which hack is for MSIE and which is for
> Netscape?
Each CN is in a single-element RDN as usual. Netscape honors only the
first CN in the SubjectDN, but will treat it as a restricted regex
(shell-like * wildcard, alternation and grouping). IE checks the
server name against each CN's individually.
This was mainly determined by experimentation. I think we did find a
limit on how long that first regex could be, but I don't remember
what it was. Longer than my example, but short enough that some of
our bigger virtual-hosting servers were inconvenienced by it.
Openssl has no qualms about multiple same-type components. You just
have to use the somewhat documented
0.commonName = ...
1.commonName = ...
2.commonName = ...
in the configuration file.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
