[cabfpub] Definition of an SSL certificate

Moudrick M. Dadashov md at ssc.lt
Fri Jan 3 10:50:53 UTC 2014


Mads,

On 1/3/2014 11:49 AM, Mads Egil Henriksveen wrote:
>
> The attack scenario assumes that the QC can be chained to a root cert 
> in a trusted CA root store. This means that the CA should know the 
> root store requirements and should be aware of the risk issuing any 
> cert that could be used as an SSL certificate.
>
> Buypass do issue both QC and SSL certificates and with the DigiNotar 
> attack back in 2011 we realized that the browsers do accept a lot of 
> certificates as SSL certificates. Since then we have had strict 
> controls to ensure that no certificate is issued with an unverified 
> domain name. I guess most of the trusted QC issuers who also issue SSL 
> certificates are aware of this, I would not be very concerned about 
> this attack scenario.
>
What is the use case when in a QC we'd need a [any/unverified] domain 
name? (aren't CAs responsible for the accuracy of information in the QCs 
they issue?).
>
> However, I do support the idea of a technical definition of an SSL 
> certificate and I like the proposal from Ryan Hurst requiring the 
> BR/EV OIDs.
>
Under ETSI framework compliance assumes two things: compliance with the 
corresponding requirements plus certificate profile compliance. These 
two categories exist as separate documents (under their own ETSI IDs).
Ryan's proposal is definitely a  good step forward, I'd vote with my 
both hands if we go even further, and like ETSI, have separate BR/EV 
profile specifications.

Thanks,
M.D.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140103/4d68c3c1/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140103/4d68c3c1/attachment-0001.p7s>


More information about the Public mailing list