On 12/10/2013 10:52 AM, From Erwann Abalea:
You're right, of course. Mozilla has twice expressed its concerns
about MITM certs linked to a public CA, and all public CAs including
IGC/A was told to perform some checks on the complete set of
certificates chaining to the root, reporting any deviation. But
budgets are needed to change all the procedures, perform internal
audits, change software, run training programs, etc.
From
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
for a certificate to be used for SSL-enabled servers, the CA takes
reasonable measures to verify that the entity submitting the
certificate signing request has registered the domain(s) referenced
in the certificate /or/ has been authorized by the domain registrant
to act on the registrant’s behalf;
It's been there for how many years now? It's not about MITM, it's really
about doing the bare minimum - if a CA does that it never lets a
certificate be used knowingly for MITM purpose. If hasn't done that up
to now due to budget constraints or whatever other reasons, I suggest to
take measures accordingly.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: [email protected]
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
