[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/2 Howard Chu <hyc@symas.com>:
> Erwann ABALEA wrote:
>> 2011/8/1 Howard Chu<hyc@symas.com>:
>> [...]
>>> If there were indeed anything to be gained by such a feature, it would
>>> also
>>> need to be implemented on clients. Look around - do any web browsers
>>> allow
>>> you to isolate CAs like this?
>> Yes. You can basically isolate CAs into 3 categories (they can
>> interleave):
>> Â- CAs trusted to issue server certs
>> Â- CAs trusted to issue email certs
>> Â- CAs trusted to issue code signing certs
> Again, nonsense. It's not up to the end-user to configure such things, it's
> up to the parent CA to set the appropriate keyUsage bits in the CA cert.
> Again *if you trust the CA in the first place* then you trust it, period. If
> you don't trust the CA to issue correctly generated certs, then that's a
> completely separate problem and you shouldn't be dealing with that CA
> anyway.

Have you ever been involved in having your CA certificate accepted by
a browser vendor?
Do you really think that because the CA has set the basicConstraints
and keyUsage extensions to become a CA, then it is equally trustful
for whatever use?
Have you ever read a CP and its associated CPS, to verify what the CA
performs to validate an identity?
Do you really think Mozilla CA Policy people, Microsoft Roiot CA
program people, Opera equivalent team, CABForum members are all X.509
illiterate guys?

I replied to your question: "Look around - do any web browsers allow
you to isolate CAs like this?". You can find this by yourself in your
browser. Display the list of CAs included, chose one, and edit its
"trust bits", you'll find at least the 3 presented categories. After
that, go to the Mozilla CA Policy set of web pages, and read about it.
It's public.