Hello Suppose Example Ltd. runs its own local CA that issues certificates to servers and email addresses at example.com and its subdomains. The certificate of this CA is installed as a trusted CA certificate into every browser (Firefox) and email client (Thunderbird) of employees.
Example Ltd. wants to make sure that only their own CA may sign certificates claiming to belong to example.com or any of its subdomains. That is, if a user tries to connect to any *.example.com server whose SSL/TLS certificate has not been signed by the CA of Example Ltd., the user should see a security warning about an invalid server certificate (likewise for email if using S/MIME). Without this security measure, any CA that has its certificates in client software has the power to thwart SSL/TLS security by issuing fake certificates claiming to belong to *.example.com servers or email addresses. Is there a way around this problem, without disabling or removing all other certificates? Certificates signed by other, widely recognized CAs, whose certificates are included by default in Mozilla products should still be considered valid except for *.example.com domains. Thanks for any help. Balint Balogh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
