[cabfpub] Definition of an SSL certificate
Moudrick M. Dadashov
md at ssc.lt
Fri Jan 3 10:50:53 UTC 2014
Mads,
On 1/3/2014 11:49 AM, Mads Egil Henriksveen wrote:
>
> The attack scenario assumes that the QC can be chained to a root cert
> in a trusted CA root store. This means that the CA should know the
> root store requirements and should be aware of the risk issuing any
> cert that could be used as an SSL certificate.
>
> Buypass do issue both QC and SSL certificates and with the DigiNotar
> attack back in 2011 we realized that the browsers do accept a lot of
> certificates as SSL certificates. Since then we have had strict
> controls to ensure that no certificate is issued with an unverified
> domain name. I guess most of the trusted QC issuers who also issue SSL
> certificates are aware of this, I would not be very concerned about
> this attack scenario.
>
What is the use case when in a QC we'd need a [any/unverified] domain
name? (aren't CAs responsible for the accuracy of information in the QCs
they issue?).
>
> However, I do support the idea of a technical definition of an SSL
> certificate and I like the proposal from Ryan Hurst requiring the
> BR/EV OIDs.
>
Under ETSI framework compliance assumes two things: compliance with the
corresponding requirements plus certificate profile compliance. These
two categories exist as separate documents (under their own ETSI IDs).
Ryan's proposal is definitely a good step forward, I'd vote with my
both hands if we go even further, and like ETSI, have separate BR/EV
profile specifications.
Thanks,
M.D.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140103/4d68c3c1/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140103/4d68c3c1/attachment-0001.p7s>
More information about the Public
mailing list