Note that the GlobalSign document is clear about the requirements and audits
From <https://www.globalsign.com/certificate-authority-root-signing/>
GlobalSign> Organizations using Trusted Root must meet the operational best
GlobalSign> practices in effect for Certificate Authorities, including
GlobalSign> compliance with CA/B Forum baseline requirements. For that
GlobalSign> reason, there are a number of technical, procedural, contractual
GlobalSign> requirements that must be met and maintained via regular
auditing.
GlobalSign> Trusted Root is a select service with strict requirements.
Trusted
GlobalSign> Root is both technically and contractually prohibited from being
GlobalSign> used for deep packet inspection/scanning of outbound/inbound
HTTPS traffic.
If they really enforce this, those cross-signed CAs are probably as
secure as
any of the other non-top-5 CAs already in Debian's CA bundle. Note
especially
the requirement of meating the "CA/B Forum baseline requirements", which I
believe are very close to Debian's and Mozilla's inclusion requirements.
Examples of GlobalSign cross signed certificates that I have encountered are
various cheaper, but popular CAs such as AlphaSSL
(<https://www.alphassl.com/repository/>)
Our company currently uses GlobalSign root derived certificates for many
things,
including an AlphaSSL wildcard certificate for our less important sites,
so far
they seem to be very thorough and trustworthy, even a simple renewal of
an EV
SSL certificate can take more than a month of detailed vetting of our
existing
identity, where they even insist on the ability to verify information
that does
not go in the certificate (and is thus not certified to those who trust the
certificate).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
