On 4/9/2014 1:25 PM, Rob Stradling wrote:
On 09/04/14 00:27, Kurt Roeckx wrote: <snip>The first example, Gandi, does sign certificates for other organizations.Hi Kurt.You seem to be assuming that the Subject organizationName in the intermediate CA certificate ("O=GANDI SAS" in this case) identifies the organization that controls the CA private key. This assumption seems plausible at first glance, but it's actually wrong. It's the same assumption underlying the EFF SSL Observatory's incorrect claim that there are "650-odd organizations that function as Certificate Authorities trusted (directly or indirectly) by Mozilla or Microsoft." [1]You may recall that the EFF's "650-odd" figure included 200 or so intermediate CA certificates issued by DFN-Verein to German academic institutions. It subsequently became apparent that the DFN retains control of the intermediate CA private keys and checks each certificate request. Each academic institution is an RA, and DFN is the only CA.Comodo operate intermediate CAs for several of our partners in a similar fashion. The partner is named in the intermediate certificate's Subject organizationName, but it is Comodo who controls the intermediate CA private key and checks each certificate request.
Rob, should we call this as "Hosted CA" or "CA hosting" service? Thanks, M.D.
FWIW, Kathleen has encouraged us to do this! [2] [1] https://www.eff.org/observatory [2] https://bugzilla.mozilla.org/show_bug.cgi?id=653543#c0"4) Implement a hierarchy of internally-operated intermediate CAs for single or related groups of RAs."
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
