Hi, I've had a few discussions with people about interesting things that a CA should probably never sign for the public internet. A private CA or a CA used simply for private purposes is obviously another story.
Off the top of my head and to kick things off: non-FQDN host names such as 'mail' scoped names that cannot be verified such as 'foo.bar.local' Other things include: high profile domains without manual verification weakly keyed CSR with say a 3 or 512 bit key It seems like this is ripe for a wiki or something that is public. Some of these things may be a good debate but that they are issues at all for someone is probably not much of a debate. Thoughts? Sincerely, Jacob
