Eddy Nigg wrote:
The Wisekey case could be where we might draw the line. Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via name-constraints) and with reasonable controls in place
(like annual site visits, proper CA key generation, distribution and
storage);
I wonder how you want to limit the domains via name constraint extension
in current business practice. I have a customer who has ~20000
registered domains. They bought another big company with ~30000
registered domains. They usually register all variants of product names
under all top-level domains so the number is growing quite fast. For
each domain there MAY be SSL certs issued by an own sub CA.
In this environment the naming constraints are just defined by contract
with the root CA owner not by cert extension.
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
