On 9/2/2011 11:42 PM, Daniel Veditz wrote:
On 8/31/11 3:52 PM, Hill, Brad wrote:
Mozilla could add a certificate it controls to the trusted root
store with which it cross-signs other CA certs, adding a
nameConstraints in the process, yes?
In theory. In practice Firefox uses the historical certificate
verification code and not the NSS pkix code, and the old code does
not support constraints. We are working through a list of pkix bugs
with the goal of switching over.
-Dan Veditz
Excellent. That work should be pushed.
Restrictions at the root level are appropriate. 90% of the certs in
the wild come from the big CAs that are members of the CA Browser Forum.
They're tightening up their rules on auditing. They don't want to
have a breach like DigiNotar and go bankrupt within weeks.
The other CAs should be severely restricted in what they can do.
The US Government and DOD have a number of CAs, and those certs
should only be valid for ".gov" and ".mil" domains, for example.
Comparable restrictions should be applied to governmental CAs for
CCtlds.
More restrictions on sub-CAs would be appropriate. A sub-CA for a
second-level domain should be restricted to that domain, and that
needs to be enforced.
There's a discussion on sub-CA policy going on now over on
mozilla.dev.security.policy. Check that out.
John Nagle
SiteTruth
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
