112 SANs from different owners in a single OV certificate?
Paul van Brouwershaven
SANs. The domains used in the SAN field are not owned by the same company but the certificate
contains company information.
Most likely these domains are hosted by OVH but gives this the right to put them all in a single
certificate?
CN = 720plan.ovh.net
OU = 0002 424761419
O = OVH
STREET = 2 rue Kellermann
STREET = 2 rue Kellermann
L = ROUBAIX
S = NORD
PostalCode = 59100
C = FR
CN = 1-ter-net.net
CN = abripiscine.abrisud.com
CN = extranet.recoveo.com
CN = gepi.lyceefrancois1.net
CN = mescachets.com
CN = olivierfabre.com
CN = ssl5.ovh.net
CN = support.ccds.easy-prepaid-solution.fr
CN = www.3colleges.fr
CN = www.aevas-sono.com
CN = www.aimar-shop.com
CN = www.akzo-orange.com
CN = www.alfabarre.com
CN = www.aludra.fr
CN = www.aquanal.fr
CN = www.arbmusic.com
CN = www.art-var.fr
CN = www.arvha-formation.org
CN = www.ascap25.com
CN = www.assureurs-partenaires.fr
CN = www.baladeshopping.com
CN = www.bayesialab.com
CN = www.beauxsonges.fr
CN = www.bebeestne-lejeu.com
CN = www.bibace.com
CN = www.bio-creme.fr
CN = www.boutique-achelsport.com
CN = www.boutique-autocad-revendeur.fr
CN = www.brians-nightshows.com
CN = www.cabinetcedric.fr
CN = www.ce-ecocertfrance.fr
CN = www.cercle-de-progres.fr
CN = www.cervval.com
CN = www.clcfrance.com
CN = www.cliniclyon.fr
CN = www.corsevins.fr
CN = www.cplusvert.com
CN = www.creaide.com
CN = www.dactylodoc.com
CN = www.decisio.pro
CN = www.delphigenetics.com
CN = www.demorainmaker.com
CN = www.descartes.fr
CN = www.edgbonsai-fr.com
CN = www.enyter.com
CN = www.europrestigecars.com
CN = www.everythingaudio.fr
CN = www.evolynx.eu
CN = www.extradoc.net
CN = www.facturline.fr
CN = www.flyers-shop.com
CN = www.france-passion.com
CN = www.fusadee-shop.com
CN = www.geophile.eu
CN = www.icarai.eu
CN = www.images-pjcx.com
CN = www.influenzart.com
CN = www.inscriptioncenter.fr
CN = www.iprotego.com
CN = www.iseult-mas.fr
CN = www.ite-audit.fr
CN = www.itolosa.fr
CN = www.izi-boutik.com
CN = www.jeu-respect-rollerfootball.com
CN = www.jeuxvends.com
CN = www.judaiculte.com
CN = www.kallysta.com
CN = www.lafouillasse.fr
CN = www.laisney-julien.fr
CN = www.lannonceurdesvallees.com
CN = www.leballadin.fr
CN = www.ledendupneu.com
CN = www.lucilialingerie.com
CN = www.maisonbleuet.com
CN = www.mapresentation.tv
CN = www.merlet.eu
CN = www.millecouleurs.fr
CN = www.naturoclic.com
CN = www.notikia.com
CN = www.nouvelle-epicerie.fr
CN = www.octelio.eu
CN = www.ofurobain.fr
CN = www.olatravel.com
CN = www.onveut.com
CN = www.optical-calculation.com
CN = www.paiementdixdecoeur.com
CN = www.plaques-immatriculation.com
CN = www.pm-office.com
CN = www.pointimmobilier.fr
CN = www.r4carte-mania.fr
CN = www.rcpware.com
CN = www.rdvpratique.fr
CN = www.reggae-auction.com
CN = www.reponses-marches-publics.biz
CN = www.ronde-des-bijoux.com
CN = www.running-pro.com
CN = www.sac-aspirateur.biz
CN = www.sanpablo.es
CN = www.seprodom.com
CN = www.shoten.fr
CN = www.singer-polignac.org
CN = www.stefatelier.com
CN = www.stop-boutique.fr
CN = www.store-caps.com
CN = www.tevea-international.com
CN = www.thierrysaintjean.com
CN = www.ubidoca.com
CN = www.valise-trottinette.com
CN = www.villahostels.com
CN = www.vipwebclient.com
CN = www.wstages.fr
CN = www.zagochic.fr
DNS-naam=720plan.ovh.net
DNS-naam=1-ter-net.net
DNS-naam=abripiscine.abrisud.com
DNS-naam=extranet.recoveo.com
DNS-naam=gepi.lyceefrancois1.net
DNS-naam=mescachets.com
DNS-naam=olivierfabre.com
DNS-naam=ssl5.ovh.net
DNS-naam=support.ccds.easy-prepaid-solution.fr
DNS-naam=www.3colleges.fr
DNS-naam=www.aevas-sono.com
DNS-naam=www.aimar-shop.com
DNS-naam=www.akzo-orange.com
DNS-naam=www.alfabarre.com
DNS-naam=www.aludra.fr
DNS-naam=www.aquanal.fr
DNS-naam=www.arbmusic.com
DNS-naam=www.art-var.fr
DNS-naam=www.arvha-formation.org
DNS-naam=www.ascap25.com
DNS-naam=www.assureurs-partenaires.fr
DNS-naam=www.baladeshopping.com
DNS-naam=www.bayesialab.com
DNS-naam=www.beauxsonges.fr
DNS-naam=www.bebeestne-lejeu.com
DNS-naam=www.bibace.com
DNS-naam=www.bio-creme.fr
DNS-naam=www.boutique-achelsport.com
DNS-naam=www.boutique-autocad-revendeur.fr
DNS-naam=www.brians-nightshows.com
DNS-naam=www.cabinetcedric.fr
DNS-naam=www.ce-ecocertfrance.fr
DNS-naam=www.cercle-de-progres.fr
DNS-naam=www.cervval.com
DNS-naam=www.clcfrance.com
DNS-naam=www.cliniclyon.fr
DNS-naam=www.corsevins.fr
DNS-naam=www.cplusvert.com
DNS-naam=www.creaide.com
DNS-naam=www.dactylodoc.com
DNS-naam=www.decisio.pro
DNS-naam=www.delphigenetics.com
DNS-naam=www.demorainmaker.com
DNS-naam=www.descartes.fr
DNS-naam=www.edgbonsai-fr.com
DNS-naam=www.enyter.com
DNS-naam=www.europrestigecars.com
DNS-naam=www.everythingaudio.fr
DNS-naam=www.evolynx.eu
DNS-naam=www.extradoc.net
DNS-naam=www.facturline.fr
DNS-naam=www.flyers-shop.com
DNS-naam=www.france-passion.com
DNS-naam=www.fusadee-shop.com
DNS-naam=www.geophile.eu
DNS-naam=www.icarai.eu
DNS-naam=www.images-pjcx.com
DNS-naam=www.influenzart.com
DNS-naam=www.inscriptioncenter.fr
DNS-naam=www.iprotego.com
DNS-naam=www.iseult-mas.fr
DNS-naam=www.ite-audit.fr
DNS-naam=www.itolosa.fr
DNS-naam=www.izi-boutik.com
DNS-naam=www.jeu-respect-rollerfootball.com
DNS-naam=www.jeuxvends.com
DNS-naam=www.judaiculte.com
DNS-naam=www.kallysta.com
DNS-naam=www.lafouillasse.fr
DNS-naam=www.laisney-julien.fr
DNS-naam=www.lannonceurdesvallees.com
DNS-naam=www.leballadin.fr
DNS-naam=www.ledendupneu.com
DNS-naam=www.lucilialingerie.com
DNS-naam=www.maisonbleuet.com
DNS-naam=www.mapresentation.tv
DNS-naam=www.merlet.eu
DNS-naam=www.millecouleurs.fr
DNS-naam=www.naturoclic.com
DNS-naam=www.notikia.com
DNS-naam=www.nouvelle-epicerie.fr
DNS-naam=www.octelio.eu
DNS-naam=www.ofurobain.fr
DNS-naam=www.olatravel.com
DNS-naam=www.onveut.com
DNS-naam=www.optical-calculation.com
DNS-naam=www.paiementdixdecoeur.com
DNS-naam=www.plaques-immatriculation.com
DNS-naam=www.pm-office.com
DNS-naam=www.pointimmobilier.fr
DNS-naam=www.r4carte-mania.fr
DNS-naam=www.rcpware.com
DNS-naam=www.rdvpratique.fr
DNS-naam=www.reggae-auction.com
DNS-naam=www.reponses-marches-publics.biz
DNS-naam=www.ronde-des-bijoux.com
DNS-naam=www.running-pro.com
DNS-naam=www.sac-aspirateur.biz
DNS-naam=www.sanpablo.es
DNS-naam=www.seprodom.com
DNS-naam=www.shoten.fr
DNS-naam=www.singer-polignac.org
DNS-naam=www.stefatelier.com
DNS-naam=www.stop-boutique.fr
DNS-naam=www.store-caps.com
DNS-naam=www.tevea-international.com
DNS-naam=www.thierrysaintjean.com
DNS-naam=www.ubidoca.com
DNS-naam=www.valise-trottinette.com
DNS-naam=www.villahostels.com
DNS-naam=www.vipwebclient.com
DNS-naam=www.wstages.fr
DNS-naam=www.zagochic.fr
--
Kind regards
Paul van Brouwershaven
Networking4all B.V.
LinkedIn: https://www.linkedin.com/in/pvanbrouwershaven
Facebook: https://www.facebook.com/p.vanbrouwershaven
Twitter: https://www.twitter.com/vanbroup
Peter Gutmann
>I would like to start a discussion about the certificate below. One
>certificate with currently 112 SANs. The domains used in the SAN field are
>not owned by the same company but the certificate contains company
>information.
We already had this discussion a couple of months back. This is more or less
what you end up with when you use a CDN. There are lots of these certs
around.
>I would like to start a discussion about the certificate below. One
>certificate with currently 112 SANs. The domains used in the SAN field are
>not owned by the same company but the certificate contains company
>information.
>I would like to start a discussion about the certificate below. One
>certificate with currently 112 SANs. The domains used in the SAN field are
>not owned by the same company but the certificate contains company
>information.
We heard you the first time.
Peter.
Paul van Brouwershaven
> We already had this discussion a couple of months back. This is more or less
> what you end up with when you use a CDN. There are lots of these certs
> around.
I should have missed that, do you have a link to this discussion I can't find it in they archives.
Even if there was a discussion I think it's important to look closer at this certificate. We are
talking about a certificate which contains organizational information. As far I know all domains in
an Organization Validated certificate should be owned by the same company. Who should be the one who
is listed in the certificate, what are his responsibilities and why should he shown to the end-user?
Cloud hosting / CDN it doesn't say that we can follow an other validation procedure. The
organizational information should be from the owner of the domain name.
>> I would like to start a discussion about the certificate below. One
>> certificate with currently 112 SANs. The domains used in the SAN field are
>> not owned by the same company but the certificate contains company
>> information.
>
> We heard you the first time.
Sorry, the message was not coming true the first few times because I copied the certificate in the
message body. Only one message has been published on dev-security-policy and
http://groups.google.com/group/mozilla.dev.security.policy/topics
Robin Alden
> As far I know all domains in an Organization Validated
certificate should
> be owned by the same company.
Can you point us to either an element of a CPS or of Mozilla's CA
Policy which requires that?
For an OV certificate, Firefox displays 'This web site does not
supply ownership information.'
> Who should be the one who is listed in the certificate,
> what are his responsibilities and why should he shown to the
end-
> user?
Our CPS says that it is the subscriber's details that appear in
the subject.
Mozilla's CA policy says 'for a certificate to be used for
SSL-enabled servers, the CA takes reasonable measures to verify
that the entity submitting the certificate signing request has
registered the domain(s) referenced in the certificate or has been
authorized by the domain registrant to act on the registrant's
behalf;'
>
> Cloud hosting / CDN it doesn't say that we can follow an other
> validation procedure. The organizational information should be
> from the owner of the domain name.
>
> >> I would like to start a discussion about the certificate
below.
> One
> >> certificate with currently 112 SANs. The domains used in the
> SAN
> >> field are not owned by the same company but the certificate
> contains
> >> company information.
> >
Regards
Robin Alden
Comodo
Peter Gutmann
>I should have missed that, do you have a link to this discussion I can't find
>it in they archives.
Ah, sorry, it was on another list, the discussion starts here:
http://www.mail-archive.com/crypto...@metzdowd.com/msg11309.html
Peter.
David E. Ross
I sampled the domains listed, doing DNS lookups and some WhoIs lookups.
They all seem to trace to EdgeCast Networks, Inc. in Santa Monica,
California.
--
David E. Ross
<http://www.rossde.com/>
On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
David E. Ross
> On 12/23/10 4:02 AM, Peter Gutmann wrote:
>> Paul van Brouwershaven <p.vanbrou...@networking4all.com> writes:
>>
>>> I should have missed that, do you have a link to this discussion I can't find
>>> it in they archives.
>>
>> Ah, sorry, it was on another list, the discussion starts here:
>>
>> http://www.mail-archive.com/crypto...@metzdowd.com/msg11309.html
>>
>> Peter.
>
> I sampled the domains listed, doing DNS lookups and some WhoIs lookups.
> They all seem to trace to EdgeCast Networks, Inc. in Santa Monica,
> California.
>
Oops! One of them is www.mozilla.com. That means the certificate was
issued with a SAN domain that is NOT controlled by the subscriber.
Paul Tiemann
>>>> I should have missed that, do you have a link to this discussion I can't find
>>>> it in they archives.
>>>
>>> Ah, sorry, it was on another list, the discussion starts here:
>>>
>>> http://www.mail-archive.com/crypto...@metzdowd.com/msg11309.html
>>>
>>> Peter.
>>
>> I sampled the domains listed, doing DNS lookups and some WhoIs lookups.
>> They all seem to trace to EdgeCast Networks, Inc. in Santa Monica,
>> California.
>>
>
> Oops! One of them is www.mozilla.com. That means the certificate was
> issued with a SAN domain that is NOT controlled by the subscriber.
Before pulling out the long knives you should all read the whole thread if you're not familiar with it.
A) SANs not controlled by the subscriber are no sin as long as you get the proper authorizations: You have to get authorization from the actual owner of the SANs to be included in the certificate. Arguing to remove the O field is counterproductive (IMHO) because it is ALWAYS better to have _someone_ identified and on the hook.
B) Mozilla got bullied into removing the name from the cert. It appears that a few months earlier, Mozilla had migrated to some other content distribution strategy anyway. Mozilla had authorized the inclusion of the name in the certificate, but it's not there any more.
C) In the course of the other discussion Peter linked to, EdgeCast and DigiCert decided to split the large certificate into smaller certs, because Peter discovered that the size of the certificate itself was causing a certain SSL proxy (I can't recall what it was) to be unable to do SSL handshakes. A better size limit for multi-name certificates is around 30 or 40 names.
Paul Tiemann
CTO, DigiCert Inc