Wan-Teh Chang:
That page lists "Allowing external entities to operate subordinate CAs"
as a problematic practice.
If a company or school needs to issue a lot of certs to its internal
servers, what is the recommended practice? I always thought the
organization should operate an intermediate CA subordinate to a
root CA. Isn't that the hierarchical model of PKI?
Not necessary! When the subordinate CA isn't part of the same PKI and no
auditing was done on those external CAs, than the auditing requirement
is effectively circumvented. I can give you very practical examples if
you want.
If this is a
problematic practice, is Mozilla recommending that the organization
buy individual certs from a commercial CA, or operate its own root CA?
It depends...and than I must ask the question, why not? There are and
can be different interfaces for such organizations as they are actually
provided as such by CAs. An organization mustn't have a CA signing
certificate in their closet to use certification services suitable for them.
And than, how are those CAs certificates governed, which physical and
digital security restrictions are applied? What are the policies
governing those CAs? How are those CAs audited? How were the CA keys
generated, signed, stored and transported to the different facility?
There are many more questions and uncertainties.
If the CA can provide attestations that the externally located CAs have
been audited (together with the parent CA) then I don't believe that
there is a problem, however Mozilla signing on a blank cheque under any
condition isn't something I'd want to rely on.
Perhaps this is why we have so many root CAs now.
No, awareness and popularity of PKIs has grown and the economical
conditions have improved! But perhaps because of those sub CAs and cross
signing schemes we have today CAs in NSS which don't conform to the
minimum and basic requirements of the Mozilla CA policy! That should
worry you more...
I prefer to have more roots to review, include and know about, then one
super-CA which we'll have to trust that they are doing a good job...
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
