[cabfpub] Misissuance of certificates

Rick Andrews Rick_Andrews at symantec.com
Mon Dec 7 16:38:03 MST 2015


Sigbjørn,

While we agree with this proposal, it wouldn't address our key use case.

We've talked to very large customers about technically-constrained intermediates, and this is consistently not doable because their list of owned domains changes so frequently. After further consideration, issuing internal-only or non-browser certs from a private root is the most straightforward and comprehensive approach.

-Rick

-----Original Message-----
From: Sigbjørn Vik [mailto:sigbjorn at opera.com] 
Sent: Wednesday, December 02, 2015 3:11 AM
To: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

On 01-Dec-15 19:10, Rick Andrews wrote:
> 1. Define one or more ways in which CAs will distinguish publicly used certificates from internally used certificates (Ex. use designated intermediate CAs or designated root CAs for internal-only used certificates).

We could presumably remove the requirement for certificates issued by technically constrained intermediate certificates. If the intermediate itself was incorrectly issued, details would have to be released, but if certificates issued from it were incorrect, some details could be left out. Would that take care of your use case?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20151207/d1a6197a/attachment.bin 


More information about the Public mailing list