On 09/04/14 00:27, Kurt Roeckx wrote:
<snip>
The first example, Gandi, does sign certificates for other
organizations.
Hi Kurt.
You seem to be assuming that the Subject organizationName in the
intermediate CA certificate ("O=GANDI SAS" in this case) identifies the
organization that controls the CA private key. This assumption seems
plausible at first glance, but it's actually wrong. It's the same
assumption underlying the EFF SSL Observatory's incorrect claim that
there are "650-odd organizations that function as Certificate
Authorities trusted (directly or indirectly) by Mozilla or Microsoft." [1]
You may recall that the EFF's "650-odd" figure included 200 or so
intermediate CA certificates issued by DFN-Verein to German academic
institutions. It subsequently became apparent that the DFN retains
control of the intermediate CA private keys and checks each certificate
request. Each academic institution is an RA, and DFN is the only CA.
Comodo operate intermediate CAs for several of our partners in a similar
fashion. The partner is named in the intermediate certificate's Subject
organizationName, but it is Comodo who controls the intermediate CA
private key and checks each certificate request.
FWIW, Kathleen has encouraged us to do this! [2]
[1] https://www.eff.org/observatory
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=653543#c0
"4) Implement a hierarchy of internally-operated intermediate CAs for
single or related groups of RAs."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
