http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html
It appears Google's Internet Authority G2 (https://pki.google.com) could be part of this program since the subordinate CA is certified by GeoTrust Global CA. If you look at the certificate, it is *not* name constrained so Google can mint certificates for any domain (and not just its web properties). I'm not too worried about Google. But I can't say the same for any old organization that joins this program. Both the IETF and CA/B Forums have name constraints that could be used to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name Constraints and Baseline Requirements, 9.7 Technical Constraints in Subordinate CA Certificates via Name Constraints. I'm not sure if the program targeting organizations as a subordinate CA is a bad idea or if GeoTrust is doing a bad job by not using name constraints. But as it stands, I don't like the smell of things. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography