CA/Forbidden or Problematic Practices: Difference between revisions

Jump to navigation Jump to search

CA/Forbidden or Problematic Practices (view source)

Revision as of 22:02, 4 November 2009

4 bytes removed ,  4 November 2009
m
→‎Certificates referencing hostnames or private IP addresses
(also problematic the non resolvable and the resolvable together)
Line 39: Line 39:
We consider this a problematic practice for a public CA because a subscriber who obtains a certificate of this type could in theory use it in contexts other than the one for which the certificate was obtained, and in particular could use it to help enable an SSL MITM attack on users in other organizations who are using the same hostname or IP address for their own SSL-enabled servers. (Depending on the hostnames and private IP addresses used, this vulnerability might also affect users of home networks with SSL-enabled home gateway devices.)
We consider this a problematic practice for a public CA because a subscriber who obtains a certificate of this type could in theory use it in contexts other than the one for which the certificate was obtained, and in particular could use it to help enable an SSL MITM attack on users in other organizations who are using the same hostname or IP address for their own SSL-enabled servers. (Depending on the hostnames and private IP addresses used, this vulnerability might also affect users of home networks with SSL-enabled home gateway devices.)


It is also a problematicaly practice, to issue a certificate with non resolvable DNS or private IP and resolvable DNS adresses together.
It is also a problematic practice to issue a certificate with non resolvable DNS or private IP and resolvable DNS adresses together.


=== OCSP Responses signed by a certificate under a different root ===
=== OCSP Responses signed by a certificate under a different root ===
Collinj
15

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/180915"

Navigation menu