On 6/12/2008 4:46 PM, Wan-Teh Chang wrote [in part]: > If a company or school needs to issue a lot of certs to its internal > servers, what is the recommended practice? I always thought the > organization should operate an intermediate CA subordinate to a > root CA. Isn't that the hierarchical model of PKI? If this is a > problematic practice, is Mozilla recommending that the organization > buy individual certs from a commercial CA, or operate its own root CA? > Perhaps this is why we have so many root CAs now. > > Wan-Teh
For internal use, an organization should create its own root certificate, with intermediate certificates as needed. It should then issue its own site certificates. However, the root certificate would never be part of the NSS database. The first bullet under Section 6 of the "Mozilla CA Certificate Policy" effectively requires a root certificate to have public (not internal) relevance. Further, the policy effectively requires a certificate authority to be reviewed or audited by an external party; an organization creating an internal root certificate is unlikely to have an audit focused on its certificate handling. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
