Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
In any case I don't think there's a "bright line" between the various
scenarios involving independently-operated subordinate CAs. However in
general I would look at the extent to which the subordinates are
operating within a restricted context. E.g., they're associated with a
single enterprise, they're technically and contractually constrained to
operate within a relatively small set of domains, etc. At the other end
of the spectrum the subordinates are essentially general-purpose public
CAs, issuing certs to multiple customers, for arbitrary domains, etc.
Based on the information available to us, WISeKey's subordinate CAs seem
to be at the restricted context end of the spectrum.
Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via name-constraints) and with reasonable controls in place
(like annual site visits, proper CA key generation, distribution and
storage);
Based on what Kevin Blackman wrote, one major reason for the approach
taken by WISeKey is the desire of customers to keep subscriber
information within enterprise boundaries and/or national borders. Given
the complexities of, e.g., privacy regulations in the US vs. the EU vs.
other jurisdictions, this seems to me a good reason for an enterprise to
operate its own subordinate CA as opposed to, for example, just acting
as a Registration Authority for a subordinate CA operated elsewhere.
- name constraints in certificates are working as expected with NSS and
Mozilla software *;
Whether certificate-based name constraints are properly working or not,
I think this is more our problem than the CA's problem, provided that
the CA's cert don't cause actual technical errors in NSS/Mozilla. If a
CA is implementing technical measures we consider sound, then I think
they have done what we expect and require.
(And I should add that if there problems in NSS that need additional
work to fix them, the Mozilla Foundation does have the ability to fund
such work.)
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
