So does this mean Iran & the like can stop hacking CAs and buy their own Geotrust cert to MITM their population?
----------------------------------------------------------------------------------------------- -ITG (ITechGeek) [email protected] https://itg.nu/ GPG Keys: https://itg.nu/contact/gpg-key Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net On Sun, Apr 5, 2015 at 6:03 PM, Jeffrey Walton <[email protected]> wrote: > > http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html > > It appears Google's Internet Authority G2 (https://pki.google.com) > could be part of this program since the subordinate CA is certified by > GeoTrust Global CA. If you look at the certificate, it is *not* name > constrained so Google can mint certificates for any domain (and not > just its web properties). I'm not too worried about Google. But I > can't say the same for any old organization that joins this program. > > Both the IETF and CA/B Forums have name constraints that could be used > to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name > Constraints and Baseline Requirements, 9.7 Technical Constraints in > Subordinate CA Certificates via Name Constraints. > > I'm not sure if the program targeting organizations as a subordinate > CA is a bad idea or if GeoTrust is doing a bad job by not using name > constraints. But as it stands, I don't like the smell of things. > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
