[cabfpub] A few technical details about the case by TURKTRUST
Rick Andrews
Rick_Andrews at symantec.com
Fri Jan 4 21:30:28 UTC 2013
Eddy,
I agree with you, but AFAIK, TurkTrust issued these two certs from an online intermediate. Having your roots offline does not prevent the issuance of certs with cA=true in basicConstraints.
-Rick
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, January 04, 2013 12:29 PM
To: public at cabforum.org
Subject: Re: [cabfpub] A few technical details about the case by TURKTRUST
On 01/04/2013 09:40 PM, From Rick Andrews:
I have one concern about the post process control you’ve put into place. You say that it will check the basicContraints value against the respective certificate policy. I’m worried that if that test profile gets put on the production system again, and certs are issued against it, your post process control will not alert you, because the test policy would say “add basicConstrains cA=true” and that would match the issued certificate.
Well, clearly CA certificates should be only issued from an off-line CA root which has nothing lost on any production environment. It's not clear to me why this has been done in first place (knowing how CA roots should be treated).
WebTrust has also a criteria about how development and test data is treated, I don't know what ETSI says about it.
Except issuing some test certificate, which however shouldn't involve any real subscribers, issuing from the CA root end-user certificates is yet another practice that should be banished by now, no? Is this what happened here?
Regards
Signer:
Eddy Nigg, COO/CTO
StartCom Ltd.<http://www.startcom.org>
XMPP:
startcom at startcom.org<xmpp:startcom at startcom.org>
Blog:
Join the Revolution!<http://blog.startcom.org>
Twitter:
Follow Me<http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130104/880958cf/attachment-0004.html>
More information about the Public
mailing list