Hi Rob,
On Wed, Apr 09, 2014 at 11:25:34AM +0100, Rob Stradling wrote:
> On 09/04/14 00:27, Kurt Roeckx wrote:
> <snip>
> >The first example, Gandi, does sign certificates for other
> >organizations.
>
> Hi Kurt.
>
> You seem to be assuming that the Subject organizationName in the
> intermediate CA certificate ("O=GANDI SAS" in this case) identifies the
> organization that controls the CA private key. This assumption seems
> plausible at first glance, but it's actually wrong.
If I read to Gandi's CPS, they seem to indicate that they control
the private key.
But then there is also Comodo's CPS, which seems to indicate that
Gandi should be following Comodo's CPS.
But Gandi also seems to offer certificates that are validated by
Comodo, and it's all becomming unclear to me.
> You may recall that the EFF's "650-odd" figure included 200 or so
> intermediate CA certificates issued by DFN-Verein to German academic
> institutions. It subsequently became apparent that the DFN retains control
> of the intermediate CA private keys and checks each certificate request.
> Each academic institution is an RA, and DFN is the only CA.
>
> Comodo operate intermediate CAs for several of our partners in a similar
> fashion. The partner is named in the intermediate certificate's Subject
> organizationName, but it is Comodo who controls the intermediate CA private
> key and checks each certificate request.
So I basically have a few questions:
1) Who makes the decision to sign a certificate?
2) Who control the private key?
3) Which CPS is being followed?
4) Who verifies that that CPS is being followed?
I was under the impression that the Registration Authority (RA)
would be 1), but that comodo would be 2), but I now I get the
feeling that Comodo is both 1) and 2).
Anyway, the end user certificate has a pointer to the CPS in it,
and in case of "O=GANDI SAS" it points to their own CPS.
Any idea what the situation is with DFN?
Maybe a good way to find the total amount of CA's is to look at
the different CPSs? But I currently can't find a requirement in
the CA/B Forum requirements that they need to add that.
I think what we want to get to is that each CPS is audited, that
everybody following that CPS is audited, and define who is
responsible for that audit.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
