On 11/19/2008 03:29 PM, Michael Ströder:
I wonder how you want to limit the domains via name constraint extension in current business practice. I have a customer who has ~20000 registered domains. They bought another big company with ~30000 registered domains. They usually register all variants of product names under all top-level domains so the number is growing quite fast. For each domain there MAY be SSL certs issued by an own sub CA. In this environment the naming constraints are just defined by contract with the root CA owner not by cert extension.
Well, this is what the CPS of Wisekey apparently says, not my invention. It wouldn't be our problem how this would be implemented in the case above. I stated what would be acceptable in my opinion - with naming constraints being clearly conditional.
Basically your customer wouldn't fall under this category and would have to be audited as any other CA, certainly with 20K and more domains under their control. Make sense in my opinion (because of the higher risk and wider audience of the relying parties).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
