Re: [Bug-wget] Overly permissive hostname matching

[Ángel González]

On 18/03/14 16:00, Jeffrey Walton wrote:
> What if a certificate is issued by a trusted CA that *does*
> match part of the public suffix list (perhaps because the
> CA has determined tha tthe application has rightful
> control over the entire zone)?
> In practice we know four things. First, no one authority controls the
> entire domain space in a gTLD. So its really a non-sequitur. We might
> inadvertently see it in cases like Diginotar, but that's a negative
> case and not a typical use case. However, we should expect these
> corner cases on occasion.
>
> Second, anyone claiming such is probably trying to subvert the secure
> channel. (...)

I realised that there is a problem with private registries if trying to 
apply the
PSL to certificates.

There are two kinds of private registries in the PSL: those full-delegation
registries (you have whole control of the domain) and content-delegation
ones. In the later case, they are public suffixes since users can place are
as arbitrary content, but the servers are under control of a single org, 
and
thus they can (and do) use a wildcard certificate for their domain.
See for instance blogspot.com

It is easy to exclude the private registries but there's no difference 
between
them. I think we should request mozilla to split that section in two.

*********

As a different comment, I discovered that although wildcards are not 
restricted
in the PSL description, they will in practise appear only at the beginning
and in fact, Mozilla implementation only supports that. This simplifies the
matching.