On 23/1/09 21:56, Florian Weimer wrote:
* Michael Ströder:
Florian Weimer wrote:
What about requiring that all certificates must be published by the CA
(including sub-CAs)?
No, this might lead to also revealing internal DNS names never meant to
be public.
Huh? Typical CA policies explicitly state that subscriber
certificates are not confidential, and are not treated as such by the
CA (so that they can be used by marketing, for instance).
What I know of, not exclusive or reliable:
1. privacy, as Eddy has pointed out. The reason that certificate info
is treated as "non-confidential" is fundamentally a statement that
reduces the liability for the CA in the event of a breach. As far as I
understand it, that is. Losing data that is non-confidential is a lower
class of sin than losing daya that is confidential, so it is good for
the CA to state it as policy.
2. while certificates by their nature and name are often public
("public key"), that doesn't mean that anyone else can use them.
Indeed, some CAs go to the extent of making their certificates
"proprietary" under the doctrine of copyright, etc. CAcert does this,
and also AFAIK, Verisign does this although for perhaps different
motives. In this case, the direct concern appears to be to establish
the RPA or equivalent.
3. The publication of certs in a public archive is not to be confused
with the storage in a private archive. Beyond the obvious reasons, they
can also be used to invalidate a forged cert. This would have been seen
perhaps if the recent CCC intermediate MD5 subroot had appeared in
court, in that one can always see circumstances where an external agency
can forge a cert, but that agency cannot ("so easily") insert the cert
into the some valid chain of created certs within the issuer. The
evidence tells the story that it is forged (but not how it was forged
.... what the court makes of that story and how the contracts deal with
it are ... up for wider speculation of course.)
4. To comment on Kyle's earlier comment that Audits may impact the
question of publication of certs and/or their recording in a repostory:
* DRC asks for publication
* WebTrust does not, as far as I can read it
* Chokhani et al says that section 2 of the CPS should document it
* evidence rules don't matter if you don't present it as evidence;
if you do present it as evidence, it is too late to change the
history, you got what you got. Which is to say, this is not a
general requirement, but might be added value, "and you can use
this in court as evidence."
* general state rules on recording documents might apply, but I am
not convinced myself.
5. Finally, see comments earlier about the substantial number of
internal certs. There is some sort of validity in corporations using
certs in internal networks not wanting them broadcast.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
