On 09.11.2011 21:00, Jacob Appelbaum wrote:
Hi,
I've had a few discussions with people about interesting things that a
CA should probably never sign for the public internet.
Have you seen https://wiki.mozilla.org/CA:Problematic_Practices ?
You might be interested in newsgroup
mozilla.dev.security.policy at news.mozilla.org
where related discussions can be found.
A private CA or a
CA used simply for private purposes is obviously another story.
Off the top of my head and to kick things off:
non-FQDN host names such as 'mail'
scoped names that cannot be verified such as 'foo.bar.local'
See also
https://wiki.mozilla.org/CA:Problematic_Practices#Issuing_SSL_Certificates_for_Internal_Domains
Other things include:
high profile domains without manual verification
See also
https://wiki.mozilla.org/CA:Communications#September_8.2C_2011
# 4)
for a recent request from Kathleen Wilson (who manages Mozilla's root CA
program).
weakly keyed CSR with say a 3 or 512 bit key
See also
https://wiki.mozilla.org/CA:Problematic_Practices#Minimum_Key_Sizes
It seems like this is ripe for a wiki or something that is public. Some
of these things may be a good debate but that they are issues at all for
someone is probably not much of a debate.
Best Regards
Kai
