On 11/20/2008 10:21 PM, Frank Hecker:
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
I refereed to the general discussion about sub roots.
In any case I don't think there's a "bright line" between the various
scenarios involving independently-operated subordinate CAs.
On the other hand I think we should be clear in relation to the
requirements placed upon the CAs. We should define them as clearly as
possible in order to allow CAs prepare accordingly.
Based on the information available to us, WISeKey's subordinate CAs seem
to be at the restricted context end of the spectrum.
Yes. Additionally one of the major concerns have apparently been
corrected! As I mentioned earlier, I think that name-constraints and
mandatory self-auditing by the CA seem to me sufficient.
Based on what Kevin Blackman wrote, one major reason for the approach
taken by WISeKey is the desire of customers to keep subscriber
information within enterprise boundaries and/or national borders. Given
the complexities of, e.g., privacy regulations in the US vs. the EU vs.
other jurisdictions, this seems to me a good reason for an enterprise to
operate its own subordinate CA as opposed to, for example, just acting
as a Registration Authority for a subordinate CA operated elsewhere.
I think that argument is somewhat far-fetched as the customer could work
with a local authority instead. As I understood the subscriber
information have to be disclosed to the CA anyway (monitoring, evidence
and audit trail etc), hence I'm not really convinced. Integration into
enterprise infrastructure however seems to me more logical...
Whether certificate-based name constraints are properly working or not,
I think this is more our problem than the CA's problem, provided that
the CA's cert don't cause actual technical errors in NSS/Mozilla. If a
CA is implementing technical measures we consider sound, then I think
they have done what we expect and require.
In this case, name-constraints are clearly part of the policy regulating
those sub CAs and in my opinion the most convincing argument in favor
for self-auditing of those installation as opposed to the general audit
requirement. If name-constrains don't work as expected, an inclusion
will have to be conditional on implementation. There shouldn't be a
situation where the issuance of the sub-CA is based clearly on
name-constraints regulation and NSS can't support it. Right now it's a
hypothetical concern because I don't know what the situation is.
Hopefully Nelson or somebody else will provide this information within
reasonable time.
(And I should add that if there problems in NSS that need additional
work to fix them, the Mozilla Foundation does have the ability to fund
such work.)
Great!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
