On Thu, Apr 02, 2015 at 01:46:48PM -0400, Phillip Hallam-Baker wrote: > As a matter of policy, no cert should ever issue for a private key > that is not under the direct control of a CA unless one of the > following apply to the corresponding cert: > > 1) The other party has CP, CPS and full audit for operating a CA. > 2) There is a name constraint. > 3) It is an end entity certificate.
EE is a kind of name constraint. (1) is a non-starter, or would have been had we had universal deployment of name constraints. > Further no private key should ever be in a network accessible device > unless the following apply: > > 1) There is a path length constraint that limits issue to EE certs. > 2) It is an end entity certificate. Well, no, some CAs need to be on-line, but then they should have an online key and an off-line key signing the online key's cert. Nico -- _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
