Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.0.1
    • Component/s: None
    • Labels:
      None

      Description

      In order to better implement domain blocking (requirement when issuing public TLS certificates to block high value domains) we could easily add a Domain Blacklist Validator. Pretty similar to PublicKey Blacklist Validator.

      If validation fails, there an approval should be created automatically.

      A plus if it's possible to find code that finds "lookalike" domains as well, i.e. when we have blacklisted paypal.com, it also blacklists paypa1.com automagically.

      This issue is about the main implementation. For 7.0.1 we will do a basic implementation:

      • Only text matching. No SHA-256.
      • Only basic matching (exact match and contains).
      • Only basic normalization (ASCII) of non Punicode domains. Unicode lookalikes + Punicode parsing can be added later. Most browsers have started disallowing mixing character sets from different langauges (and disallow many characters), so the ability to do punicode spoofing is somewhat limited today.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                samuel Samuel Lidén Borell
                Reporter:
                tomas Tomas Gustavsson
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 week, 3 days
                  1w 3d
                  Remaining:
                  Remaining Estimate - 1 week, 3 days
                  1w 3d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified