Re: WISeKey root inclusion request (re-start public discussion)

Sat, 29 Nov 2008 07:30:16 -0800 

Eddy Nigg wrote:

On 11/29/2008 06:43 AM, Frank Hecker:

On the WISeKey end, they could mandate use of SAN in BlackBox-issued
certificates (as opposed to just including it in the default template),
and from the NSS end we could disallow use of CN for storing domain
names.



At least you could have made it a requirement in order for the name 
constraints to have any effect with NSS.



Made what a requirement? Mandating use of SAN in BlackBox? (In other 
words, BlackBox customers would not be able to change the default 
BlackBox certificate template to disable SAN.) But my understanding 
(based on your hypothetical scenario) is that this would not be 
sufficient, since someone could remove the key material and try to issue 
certificates outside the context of the BlackBox product.



Also, at this point we don't have a good understanding why BlackBox 
customers disable use of SAN in the first place. There may be some 
special factors we're not aware of that cause a problem with SAN in 
certain customer-specific contexts.



In regards to NSS we don't have to disallow subject CN fields, but have 
NSS check also for these attributes in addition to the SAN.



My impression from Nelson's comments is that checking CN would be 
subject to potential errors, since there is no well-defined standard for 
what CN should contain. Thus the only foolproof approach would be to 
move to a world where we prohibit use of CN in contexts like SSL-enbled 
servers and force the use of SAN. But that would be a major undertaking 
and one that would likely take several years in order to coordinate 
action with other browser vendors and with CAs in general.



The bottom line is that I certainly encourage WISeKey to promote correct 
use of SAN, including consideration of making its use mandatory in the 
BlackBox templates, investigation of why some customers don't use it, 
and resolution of any issues relating to use of SAN by BlackBox 
customers. However I'm not going to make approval conditional on that, 
given our uncertain state of knowledge and the dependence on future NSS 
changes to fully address the SAN vs. CN issue.


Frank

--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to