921127 - In PSM don't provide EV treatment when cert includes wildcards in the alt-dns name and common name fields

Status: NEW

(Core :: Security: PSM, enhancement, P3)

Description

[Kathleen Wilson]

As per the EV Guidelines: 
8.1.1 Subject Organization Information
(2) Domain Name
Certificate field: subject:commonName (OID: 2.5.4.3) or subjectAltName:dNSName
Contents: This field MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject‟s server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). Wildcard certificates are not allowed for EV Certificates.

Please add code to PSM to not allow EV treatment of wildcard certs.

Comment 1

[Kaspar]

(In reply to Kathleen Wilson from comment #0)
> Please add code to PSM to not allow EV treatment of wildcard certs.

That's just one of the checks I already listed in bug 470926 (today's EV Guidelines section 8 was section 6 at that time).

Is there a specific incident (i.e., a certificate issued by an EV-enabled CA which includes a wildcard) which is triggering this request right now? If so, can we see that certificate?

Comment 2

[Kaspar]

Attachment: ccleaning.accenture.com EV SSL certificate with wildcard SAN entry

Ok, here is this certificate (in case it should soon disappear from the iag-moodle.cclearning.accenture.com site).

Verizon Business got EV treatment for the Cybertrust Global Root with bug 493259 (EV OID 1.3.6.1.4.1.6334.1.100.1).

Comment 3

[Kaspar]

Attachment: Cybertrust SureServer EV CA CRL #9672

The certificate is unrevoked as of today (attaching CRL #9672, updated 2013-09-27 01:17:19 UTC, retrieved from http://crl.omniroot.com/SureServerEV.crl, for documentation purposes).

Note that the certificate doesn't include an OCSP URI either, so PSM/NSS must rely on the CRL in this case.

Funny how Netcraft puts it: "Verizon Business has chosen to test browsers' approach to wildcard EV certificates"...

Comment 4

[Kaspar]

Attachment: Cybertrust SureServer EV CA CRL #9692

Still unrevoked as of today (CRL #9692 was issued 2 October 2013 at 01:29:08 UTC). A few more bits have been posted at https://groups.google.com/d/msg/mozilla.dev.security.policy/zgXqG_P3RIg/_y91fpknjucJ.

Comment 5

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

After bug 1063281 is fixed, it will be easy to modify that new function to take an input parameter indicating whether wildcards should be matched, or similar.

Comment 6

[subhan]

You've probably wondered whether you could apply Nair on your balls at some point in your life. Yes, you may put Nair on balls, but there are a few considerations you should make before. We'll go through the advantages and disadvantages of using Nair on pubic hairs in this blog post, as well as some suggestions for preventing irritation and other unfavourable side effects. So, if you're considering using Nair to your nether area, read on for more information. https://theshaverguide.com/can-you-use-nair-on-your-balls/