Hi Eddy, On Nov 21, 8:16 pm, Eddy Nigg <[EMAIL PROTECTED]> wrote: > On 11/21/2008 05:16 PM, kgb: > > > > > > > Frank, I agree with you. > > Our CA controls, audits, etc. are > > designed to ensure that all identities are validated appropriately > > prior to > > certificate issuance. BlackBox CAs are an extremely > > restricted CA context where certificates issued > > at the CA are restricted to domains owned by the organisation. > > It is not necessary for domain constraints to work in NSS software > > for > > ourRootto be accepted, as the control's primary point of operation > > is PRIOR to certificate issuance. > > Even if domain constraints are not interpreted properly by NSS today, > > they > > will be in the future, and the certificates issued by our MPKI system > > using > > CAs in our DCs will be perfectly unaffected. > > I am sure that the name constraints implementation process will be > > much further along, and ourRootstill will not have propogated very > > far > > through the typical update mechanisms. > > On our behalf, I thus submit that it would be > > a fairly extreme and an unfair penalty to wait an additional year > > (the first discussion period was in January of this year) to be > > embedded, > > whereas the primary controls and practices we use have not changed > > significantly from that point in time. > > Kevin, are you recording all domain names and/or email addresses of the > subject line also in the subject alt name extension? If yes, the problem > is solved, if not, could you modify your issuance of end user > certificates to include all of the validated domain names and/or email > addresses in the SAN extension? > > BTW, this is the information I could gather about the state of NSS, it > seems to me trivial to achieve adherence and correct functioning of the > software. >
For e.g. S/MIME certs, If you mean if subject alt name email contains the email address, not just SubjectDN-E, then yes this is the case with the majority of certificates issued by the BlackBox CAs, but not all. I took a quick look at some customer SMIME certificates and sometimes E is only included in the Subject DN. Some customers don't include the SAN in their certificate templates, it seems particularly those that use non-western character sets. I am interpreting that you mean "modify the issuance of end user certs to always include the SAN extension, as well as only validated domain names and/or email addresses." ? Only validated and approved domain names can be included in a cert, whether in the Subject DN or the SAN. It is the default template, and best practice that the SAN (e.g. RFC822, dnsName) to be filled in the certificates. Its the case for some but not all customers. I really hope its not necessary once we can guarantee that only validated domains are used in the certificates. Regards, Kevin > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org- Hide quoted text - > > - Show quoted text - _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
