[cabfpub] A few technical details about the case by TURKTRUST
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Jan 4 20:29:04 UTC 2013
On 01/04/2013 09:40 PM, From Rick Andrews:
> I have one concern about the post process control you’ve put into
> place. You say that it will check the basicContraints value against
> the respective certificate policy. I’m worried that if that test
> profile gets put on the production system again, and certs are issued
> against it, your post process control will not alert you, because the
> test policy would say “add basicConstrains cA=true” and that would
> match the issued certificate.
Well, clearly CA certificates should be only issued from an off-line CA
root which has nothing lost on any production environment. It's not
clear to me why this has been done in first place (knowing how CA roots
should be treated).
WebTrust has also a criteria about how development and test data is
treated, I don't know what ETSI says about it.
Except issuing some test certificate, which however shouldn't involve
any real subscribers, issuing from the CA root end-user certificates is
yet another practice that should be banished by now, no? Is this what
happened here?
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130104/1a399778/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130104/1a399778/attachment-0002.p7s>
More information about the Public
mailing list