An attack on paypal
Matt Crawford
crawdad at fnal.gov
Thu Jun 12 07:30:17 PDT 2003
> "Matt Crawford" <crawdad at fnal.gov> writes:
> >... Netscrape ind Internet Exploder each have a hack for
> >honoring the same cert for multiple server names. Opera seems to honor at
> >least one of the two hacks, and a cert can incorporate both at once.
> >
> > /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services
> > /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov
> > /CN=bravo.fnal.gov/CN=charlie.fnal.gov
>
> Just to clarify this, so you need a multivalued CN, with one containing the
> expression "(a|b|c)" and the remaining containing each of "a", "b", and "c"?
> Is it multiple AVAs in an RDN, or multiple RDNs? (Either of these could be
> hard to generate with a lot of software, which can't handle multiple AVAs in
> an RDN or multiple same-type RDNs). Which hack is for MSIE and which is for
> Netscape?
Each CN is in a single-element RDN as usual. Netscape honors only the
first CN in the SubjectDN, but will treat it as a restricted regex
(shell-like * wildcard, alternation and grouping). IE checks the
server name against each CN's individually.
This was mainly determined by experimentation. I think we did find a
limit on how long that first regex could be, but I don't remember
what it was. Longer than my example, but short enough that some of
our bigger virtual-hosting servers were inconvenienced by it.
Openssl has no qualms about multiple same-type components. You just
have to use the somewhat documented
0.commonName = ...
1.commonName = ...
2.commonName = ...
in the configuration file.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cypherpunks-legacy
mailing list