Frank:
The Wisekey case could be where we might draw the line. Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via name-constraints) and with reasonable controls in place
(like annual site visits, proper CA key generation, distribution and
storage);
- name constraints in certificates are working as expected with NSS and
Mozilla software *;
- reasonable verifications are performed of the sub-ordinate certificate
owner;
I tend to suggest to exclude the audit requirement for this specific
case. It should however represent the line between the other cases.
* One thing I'm not sure about is concerning S/MIME certificates and
their verification requirements. And do name-constraints work with S/MIME?
Kevin (from Wisekey):
Why is a sub-ordinate CA certificate needed for this product, if it's
limited to a certain set of domain names? Can't the same be achieved by
simply issuing from a general sub CA under the control of the parent CA?
What are the differences for the customer (I mean, it doesn't really
matter if a site certificate or email certificate is issued from a sub
CA under the control of the parent CA or from a different sub CA under
the control of the owner. In the end of the day there may be only a
certain set of domain names for the same set of web sites)?
Nelson:
Do name-constraints work as expected with NSS and Firefox/Thunderbird
etc.? I didn't had a chance to test this ever...Are there some test
cases with correctly and wrongfully issued certificate which would
demonstrate the correct functioning? What about S/MIME certificates?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto