Wan-Teh Chang wrote: > That page lists "Allowing external entities to operate subordinate CAs" > as a problematic practice.
I think that a better title for that page would be "potentially problematic practices". This is not really a binary "good" vs. "bad" issue. There is a spectrum of possible practices, some of which are really not problematic at all, and some of which are. > If a company or school needs to issue a lot of certs to its internal > servers, what is the recommended practice? I always thought the > organization should operate an intermediate CA subordinate to a > root CA. There are a number of possible options and associated practices. For example, one option would be for a commercial CA to operate a subordinate CA on behalf of an organization, with the organization serving only as an RA. Another option would be for the commercial CA to authorize the organization to operate a subordinate CA on its own premises, but constrain the subordinate in terms of what types of certs it can issue. And a third would be for the organization's subordinate CA to have broad powers to issue any types of certs, for any domain, as well as to create its own hierarchy. As the amount of autonomy granted to the organization increases, so do potential risks: the organization might not be as diligent in key protection as the commercial CA, it might be more lax in its verification procedures, and so on. That's why I think it's worth marking this practice at least with a "yellow flag", as being worthy of further investigation. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto