Nelson B Bolyard wrote: > Frank Hecker wrote: >> For the record, I am pretty sure that we have CAs already in the root >> list that have issued test certs under their hierarchies. IIRC the last >> instance of this I saw was a CA that had a subordinate CA used to >> testing purposes, under the root CA that we include. <snip> > Please elaborate. What CA did that? > Is the subordinate CA that did so still valid (unexpired)?
I have no idea. This is just a vague remembrance on my part, and I can't vouch for its accuracy. > IMO, this is a serious enough breach that it warrants calling for the > removal of the CA that did it. If the subordinate CA is still valid > and is not revoked, this calls for drastic action. Let's ignore for a moment the question of whether a CA did this or not (because as I noted above, my recollection may be faulty). I'm still unclear on why issuing issuing one or more test certs from a CA hierarchy is in and of itself a problem, *irrespective of the circumstances under which they were issued*. I'm not referring to issuing test certs to people outside the CA, in a way that bypasses normal controls; that's clearly out of bounds. I'm talking about internal testing by the CA's operations staff. If I'm running a CA, and I want to test my procedures for issuing certs, then what's the problem with having my internal staff issue a test cert under a given hierarchy, in order to verify technical details, compatibility with applications, etc., and then destroying the private key for the cert to ensure it can't be further used? You're telling me that no one at a CA has ever done this, and should never do it? Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
