Frank Hecker wrote:
Per the CA schedule, the next CA on the list for public comment is
WISeKey, which has applied to add its (one) root CA certificate to the
Mozilla root store, as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=371362
and in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#WISeKey
We've now completed the scheduled time for public discussion on this
request. Based on my reading of the prior material for this request
(e.g., in the bug and in the newsgroup) and my reading of the discussion
thread for this discussion period, there were two issues of note:
First is auditing of subordinate CAs as implemented by the BloackBox
product. As noted by Kevin Blackman, WISeKey now does annual onsite
audits of BlackBox customers. This satisfies any concerns I might have
had on the subject of audits.
Second is constraining subordinate CAs to issue certificates only within
their own domain(s). My understanding from the WISeKey documents and
from Kevin Blackman's comments is that WISeKey implements both
contractual and technical constraints in connection with the BlackBox
products. Based on comments by Eddy, Nelson, et.al., there are
apparently theoretical cases where such constraints could be evaded and
the evasion would not be picked up by NSS (based on NSS not checking
domain constraints on CN or any other values outside of the SAN stuff).
On the WISeKey end, they could mandate use of SAN in BlackBox-issued
certificates (as opposed to just including it in the default template),
and from the NSS end we could disallow use of CN for storing domain
names. These may be good ideas for future consideration, but I can't
justify holding up this request till they get implemented.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
