On 31.12.2008 19:57, Frank Hecker wrote:
Kyle Hamilton wrote:
Ummm... has an enterprise PKI ever been included in Mozilla?
Sorry, I wasn't being clear here. I'm not referring to enterprises
that have their own root CAs. I was referring to schemes where
enterprises work through CAs like VeriSign to issue certificates to
their own employees, servers, etc. IIRC in a number of these schemes
the CA is responsible for actually issuing the certificates but the
validation is done by the enterprise. (For example, the CA might
provide a web-based interface by which authorized representatives of
the enterprise can submit previously-validated CSRs to the CA, and get
back certificates in return.) In these cases the enterprises are
essentially acting as RAs.
I think this scenario is different, assuming it's implemented properly:
The company would only be able to approve web server certs for their
domain, i.e. it's like a wildcard cert. More importantly, they'd verify
S/MIME email certs, but again only within their domain.
I would consider this to be secure.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
