On Feb 14, 2012, at 1:16 23PM, Jon Callas wrote:
>
> On Feb 14, 2012, at 7:42 AM, ianG wrote:
>
>> On 14/02/12 21:40 PM, Ralph Holz wrote:
>>> Ian,
>>>
>>> Actually, we thought about asking Mozilla directly and in public: how
>>> many such CAs are known to them?
>>
>> It appears their thoughts were "none."
>>
>> Of course there have been many claims in the past. But the Mozilla CA desk
>> is frequently surrounded by buzzing small black helicopters so it all
>> becomes noise.
>
> I've asked about this, too, and the *documented* evidence of this happening
> is exactly that -- zero.
>
> I believe it happens. People I trust have told me, whispered in my ear, and
> assured me that someone they know has told them about it, but there's
> documented evidence of it zero times.
>
> I'd accept a screen shot of a cert display or other things as evidence,
> myself, despite those being quite forgeable, at this point.
>
> Their thoughts of it being none are reasonably agnostic on it.
>
> Those who have evidence need to start sharing.
>
A related question...
Sub-CAs for a single company are obviously not a problem. Thus, if a major CA
were to issue WhizzBangWidgets a CA cert capable of issuing certificates for
anything in *.WhizzBangWidgets.com, it would be seen as entirely proper. The
issue is whether or not that sub-CA can issue certificates for, say,
google.com. The restriction is enforced by the Name Constraints field in the
CA's cert. However, this is seldom-enough seen that I have no idea if it's
actually usable. So -- do major cert-accepting programs examine and honor this
field, and do it correctly? I know that OpenSSL has some code to support it;
does it work? What about Firefox's? The certificate-handling code in various
versions of Windows? Of MacOS?
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
