On 12/9/2011 12:27 AM, Adam Back wrote:
Do the air gapped private PKI root certs (and if applicable their non-airgapped sub-CA certs they authorize) have the critical name constraint extension eg ".foocorp.com" meaning it is only valid for creating certs for *.foocorp.com?
The early ones did. However, we stopped putting in the constraint as we became aware that it created some operational headaches when companies merged or acquired other companies, and needed certificates under the domain-name of the merged/acquired company (to preserve legacy applications and customers) which were different from the domain names in the constraint. Secondly, the constraint is perceived as protecting the TTP CA's more than the Subject; and since the TTP did not mandate it in their CP, there was no reason to include it. (I have already heard that one TTP CA is rethinking this and is considering mandating it on all new and renewed certs).
(I am presuming these private PKI certs are sub-CA certs certified by a CA listed in browsers.)
In some cases, that is correct. Others are "closed" PKIs - self-signed and only for internal use (example: as in multiple components of bio-technology products that strongly authenticate to each other before enabling the product's use). Arshad Noor StrongAuth, Inc. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
