I think that press release is years old. GeoTrust was bought by VeriSign years ago who was then bought by Symantec.
This kind of agreement now requires the subordinate to be audited to the same standards as all other public CAs. On Apr 5, 2015 3:03 PM, "Jeffrey Walton" <[email protected]> wrote: > > http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html > > It appears Google's Internet Authority G2 (https://pki.google.com) > could be part of this program since the subordinate CA is certified by > GeoTrust Global CA. If you look at the certificate, it is *not* name > constrained so Google can mint certificates for any domain (and not > just its web properties). I'm not too worried about Google. But I > can't say the same for any old organization that joins this program. > > Both the IETF and CA/B Forums have name constraints that could be used > to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name > Constraints and Baseline Requirements, 9.7 Technical Constraints in > Subordinate CA Certificates via Name Constraints. > > I'm not sure if the program targeting organizations as a subordinate > CA is a bad idea or if GeoTrust is doing a bad job by not using name > constraints. But as it stands, I don't like the smell of things. > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
