[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain

To: Howard Chu <hyc@symas.com>
Subject: Re: SSL server certificate that has an intermediary certificate in the chain
From: Erwann ABALEA <eabalea@gmail.com>
Date: Tue, 2 Aug 2011 12:33:16 +0200
Cc: David Hawes <dhawes@vt.edu>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=MGIqMKT3zwtPRvjL7tqhJndIVV5jgKdpIQPA1ry/mS0=; b=QAOBlhuIiwfSu8XA2lARkH0LvPj1ClDOzJDXy81WbuGf8N6Z4pnZQvU8Oaltz96hcg hgpvWF202RMBIbiUH36wQYz9RBmzVDYVdK0zQrPgR35UWlASK/to9WUkticAE5vwS3aW mihWMz8dsVsOOblwM7I0SpR0QIoKhfIiGPQYY=
In-reply-to: <4E37C6C9.4030008@symas.com>
References: <4E330129.4030004@uvm.edu> <alpine.BSO.2.00.1107291208340.11176@morgaine.smi.sendmail.com> <4E334C30.7030004@uvm.edu> <4E33500F.1080006@symas.com> <CA+i=0E6QLNqU4a6mumFm_FtVkwT=AsL6P5RzURVjLVBtUqgsxA@mail.gmail.com> <4E344A05.1050104@symas.com> <4E36D52B.2020208@vt.edu> <4E36DD56.40007@symas.com> <CA+i=0E7nfMMENsYK5DJCyBAEZYJnt7t0eDUqOf-knUsUqt_cYQ@mail.gmail.com> <4E37C6C9.4030008@symas.com>

2011/8/2 Howard Chu <hyc@symas.com>:
> Erwann ABALEA wrote:
>> 2011/8/1 Howard Chu<hyc@symas.com>:
>> [...]
>>>
>>> If there were indeed anything to be gained by such a feature, it would
>>> also
>>> need to be implemented on clients. Look around - do any web browsers
>>> allow
>>> you to isolate CAs like this?
>>
>> Yes. You can basically isolate CAs into 3 categories (they can
>> interleave):
>> Â- CAs trusted to issue server certs
>> Â- CAs trusted to issue email certs
>> Â- CAs trusted to issue code signing certs
>
> Again, nonsense. It's not up to the end-user to configure such things, it's
> up to the parent CA to set the appropriate keyUsage bits in the CA cert.
> Again *if you trust the CA in the first place* then you trust it, period. If
> you don't trust the CA to issue correctly generated certs, then that's a
> completely separate problem and you shouldn't be dealing with that CA
> anyway.

Have you ever been involved in having your CA certificate accepted by
a browser vendor?
Do you really think that because the CA has set the basicConstraints
and keyUsage extensions to become a CA, then it is equally trustful
for whatever use?
Have you ever read a CP and its associated CPS, to verify what the CA
performs to validate an identity?
Do you really think Mozilla CA Policy people, Microsoft Roiot CA
program people, Opera equivalent team, CABForum members are all X.509
illiterate guys?

I replied to your question: "Look around - do any web browsers allow
you to isolate CAs like this?". You can find this by yourself in your
browser. Display the list of CAs included, chose one, and edit its
"trust bits", you'll find at least the 3 presented categories. After
that, go to the Mozilla CA Policy set of web pages, and read about it.
It's public.

-- 
Erwann.

References:
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: David Hawes <dhawes@vt.edu>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Erwann ABALEA <eabalea@gmail.com>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Ldap issue
Next by Date: Re: SSL server certificate that has an intermediary certificate in the chain
Index(es):
- Chronological
- Thread