Hi Eddy, On Nov 21, 10:37 pm, Eddy Nigg <[EMAIL PROTECTED]> wrote: > On 11/21/2008 10:12 PM, kgb: > > > > > Only validated and approved domain names can be included > > in a cert, whether in the Subject DN or the SAN. > > It is the default template, and best practice that the SAN > > (e.g. RFC822, dnsName) to be filled in the certificates. > > Its the case for some but not all customers. > > > I really hope its not necessary once we can guarantee that > > only validated domains are used in the certificates. > > The issue I care mostly about is, what happens when one if these systems > get compromised without you (the CA) ever detecting. Since those system > aren't under your control, this is entirely possible and the risk is > certainly higher than at your infrastructure. The threats may come from > unknown source or from the customer himself (or their employees). > > The from you issued CA certificate with a path length of 0 and naming > constraints limitation is what convinces me as a reasonable protection > regarding above case. However it would have to be enforced by SAN > extension. How come your customers can decide if to include the relevant > alternative name or not? Isn't this something you should control? >
We have allowed the inclusion or not of the SAN extension in a certificate, because the constraints are always applied, whether the domain name is in the SAN or in the Subject DN. For us allowing this flexibility has thus not caused any issues, till now. Mandatory inclusion of the SAN extension in a certificate is a policy we can apply and monitor in the future. Regards, Kevin > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
