> CAs vouch and are liable for every single bit in the ToBeSigned part > of a certificate, no matter what stupid things they claim in any weird > and ineffective "certificate practice statement" (CPS). > > A CA that doesn't is not a CA, but instead a hackers foot in your door. > > This applies equally to all components of the subject DName, and > all X.509v3 extensions, such as all subjectAltNames, all keyUsages, > all extendedKeyUsages, all BasicConstraints, AIA, CRL distribution points, > and whatever else there is. >
I agree with the list above except keyUsage and extendedKeyUsage which are somewhat identity neutral. > Blindly copying without validation any data from the PKCS#10 request > into the certificate that they sign would be simply irresponsible and > an act of gross negligence. 100% agree. M.D. cell: +370-699-26662 > > > -Martin > > > > > > > > > > _______________________________________________ > certid mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/certid > _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
