That sounds a bit like DNSSEC, where the ability to sign host names is attenuated as it is delegated.
Adam On Tue, Aug 30, 2011 at 9:46 AM, Boris Zbarsky <bzbar...@mit.edu> wrote: > I was looking at our CA root list, and a lot of them seem like "specialist" > CAs that would only issue certs for a limited range of hostnames. Could we > formalize this, and have CAs indicate any such restrictions as part of their > application, then enforce it on our end? That would limit the extent to > which a compromise of one of these "specialist" CAs could be exploited (e.g. > we'd notice that a Dutch CA is being used to sign the Mossad's website and > cry foul, without pre-pinning the CA for the presumably rarely visited > Mossad site). If one of the big CAs that issue certs all over were > compromised there would still be a problem of course, but we could > conceivably demand more diligence in terms of being added to our cert store > from CAs that want to issue certs to everyone .... and even if we don't we > might trust some them more than the specialist CAs to start with. > > Has this been considered before? Is my assumption that a lot of the CAs in > our trust list would only issue to a small subset of possible hostnames > accurate? If so, is doing what I propose above feasible and worthwhile? > > Other than the above and CA pinning for particular sites, any other ideas on > how we can mitigate the scope of problems like this in the future? > > -Boris > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security