Hi, [great debian openssl f**kup] >some CAs have started to take action actively.
I have started a new thread about this with an example why a blacklist is the only way to go. >> - allow limiting CA certificates to certifying certain domains (for >> example, I want my universities CA to be able to issue valid certs >> for >> subdomains of the university domain and a single other domain ONLY, >> so >> if the CA gets hacked, noone can use its key to create a valid cert >> for >> my bank). >This is induced via the name constraint extension in CA certificates. >This is up to the issuing CA. I would like to have a way to basically add a name constraint if the CA didn't. As I specifically add the certificate, I should be able to select "but trust this only for *.somedomain.de". As I need this for only this one CA, if it is possible to create a new certificate with the same modulus it would be enough to give me some pointers how to do that. >Of course Google has no problem getting valid >certificate(s) for all its domain name extensions. They shouldn't, but they do. (at least with www.google.com vs. google.com) >> - allow saving and "locking in" onto a certain cert just noticed there already is a bug similar to this, https://bugzilla.mozilla.org/show_bug.cgi?id=286107 >>Imagine the following scenario: >> >> A dissident in china wants to get a new Firefox version. He uses a >> secure system and is very afraid that the government will replace a >> download of a program he wants by a trojan. For this reason, he does >> his >> firefox download via https. The chinese government forced a CA to >> cooperate, gets a valid cert for the mozilla web site and puts the >> trojan into his download. >If you can point to one CA even considering >something like this, please forward the name >of the CA. I assume that any chinese CA would do this, I do not know if there are any. But you can apply that to other countries. There is a CA located in Israel that is trusted in FF. I think that if the Mossad wanted a fake cert, they would get it fairly quickly, one way or the other. And I don't know what would happen if the DHS or NSA asked Verisign for something like this in the name of national security. Regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
