Hi Eddy, On Nov 19, 3:14 am, Eddy Nigg <[EMAIL PROTECTED]> wrote: > Frank: > > TheWisekeycase could be where we might draw the line. Provided that > > - there is a *good compelling reason* for using sub-ordinate > certificates in first place, limited to the domains under the control of > the owner (via name-constraints) and with reasonable controls in place > (like annual site visits, proper CA key generation, distribution and > storage); > - name constraints in certificates are working as expected with NSS > andMozillasoftware *; > - reasonable verifications are performed of the sub-ordinate certificate > owner; > > I tend to suggest to exclude the audit requirement for this specific > case. It should however represent the line between the other cases. > > * One thing I'm not sure about is concerning S/MIME certificates and > their verification requirements. And do name-constraints work with S/MIME? >
Name-constraints work on the level of the CA, and this is what we rely on together with the audit and monitoring tools. The CA looks at its certificate, and won't issue a request SMIME or otherwise that violates the name constraints. > Kevin (fromWisekey): > > Why is a sub-ordinate CA certificate needed for this product, if it's > limited to a certain set of domain names? Can't the same be achieved by > simply issuing from a general sub CA under the control of the parent CA? > What are the differences for the customer (I mean, it doesn't really > matter if a site certificate or email certificate is issued from a sub > CA under the control of the parent CA or from a different sub CA under > the control of the owner. In the end of the day there may be only a > certain set of domain names for the same set of web sites)? > We offer both types of delivery. We have many managed PKI customers. However some agencies don't wish their ID information to leave their premises, or to cross national borders; or desire to have closer integration with the ID lifecycle management software and internal directory, which is far easier and more efficient with the BlackBox system, and its also far more cost effective especially in large user populations. There are also other reasons, but those are probably the most important. > Nelson: > > Do name-constraints work as expected with NSS and Firefox/Thunderbird > etc.? I didn't had a chance to test this ever...Are there some test > cases with correctly and wrongfully issued certificate which would > demonstrate the correct functioning? What about S/MIME certificates? > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
