Albeit with revocation, and the ability to have multiple CAs for the same DNS hierarchy (i.e. you can have CA1 and CA2 for all .co.il sites), as well as a more flexible attenuation policy (CA1 can sign .co.il and .il)
thanks Devdatta On 3 September 2011 01:24, Adam Barth <abarth-mozi...@adambarth.com> wrote: > That sounds a bit like DNSSEC, where the ability to sign host names is > attenuated as it is delegated. > > Adam > > > On Tue, Aug 30, 2011 at 9:46 AM, Boris Zbarsky <bzbar...@mit.edu> wrote: >> I was looking at our CA root list, and a lot of them seem like "specialist" >> CAs that would only issue certs for a limited range of hostnames. Could we >> formalize this, and have CAs indicate any such restrictions as part of their >> application, then enforce it on our end? That would limit the extent to >> which a compromise of one of these "specialist" CAs could be exploited (e.g. >> we'd notice that a Dutch CA is being used to sign the Mossad's website and >> cry foul, without pre-pinning the CA for the presumably rarely visited >> Mossad site). If one of the big CAs that issue certs all over were >> compromised there would still be a problem of course, but we could >> conceivably demand more diligence in terms of being added to our cert store >> from CAs that want to issue certs to everyone .... and even if we don't we >> might trust some them more than the specialist CAs to start with. >> >> Has this been considered before? Is my assumption that a lot of the CAs in >> our trust list would only issue to a small subset of possible hostnames >> accurate? If so, is doing what I propose above feasible and worthwhile? >> >> Other than the above and CA pinning for particular sites, any other ideas on >> how we can mitigate the scope of problems like this in the future? >> >> -Boris >> _______________________________________________ >> dev-security mailing list >> dev-security@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security >> > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security