On 11/21/2008 05:16 PM, kgb:
Frank, I agree with you. Our CA controls, audits, etc. are designed to ensure that all identities are validated appropriately prior to certificate issuance. BlackBox CAs are an extremely restricted CA context where certificates issued at the CA are restricted to domains owned by the organisation. It is not necessary for domain constraints to work in NSS software for our Root to be accepted, as the control's primary point of operation is PRIOR to certificate issuance. Even if domain constraints are not interpreted properly by NSS today, they will be in the future, and the certificates issued by our MPKI system using CAs in our DCs will be perfectly unaffected. I am sure that the name constraints implementation process will be much further along, and our Root still will not have propogated very far through the typical update mechanisms. On our behalf, I thus submit that it would be a fairly extreme and an unfair penalty to wait an additional year (the first discussion period was in January of this year) to be embedded, whereas the primary controls and practices we use have not changed significantly from that point in time.
Kevin, are you recording all domain names and/or email addresses of the subject line also in the subject alt name extension? If yes, the problem is solved, if not, could you modify your issuance of end user certificates to include all of the validated domain names and/or email addresses in the SAN extension?
BTW, this is the information I could gather about the state of NSS, it seems to me trivial to achieve adherence and correct functioning of the software.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
