* Ian G.:
>> Huh? Typical CA policies explicitly state that subscriber
>> certificates are not confidential, and are not treated as such by the
>> CA (so that they can be used by marketing, for instance).
> What I know of, not exclusive or reliable:
>
> 1. privacy, as Eddy has pointed out. The reason that certificate
> info is treated as "non-confidential" is fundamentally a statement
> that reduces the liability for the CA in the event of a breach. As
> far as I understand it, that is. Losing data that is non-confidential
> is a lower class of sin than losing daya that is confidential, so it
> is good for the CA to state it as policy.
If there's a certificate in the path with a working DN constraint (I
don't know if such a beast exists for domain/server certificates), I
suppose little additional transparency is gained from publication of
additional subject certificates.
In any case, the above is also an argument for anonymous EV
certificates, not just against keeping searchable records of
certificates.
> 2. while certificates by their nature and name are often public
> ("public key"), that doesn't mean that anyone else can use
> them. Indeed, some CAs go to the extent of making their certificates
> "proprietary" under the doctrine of copyright, etc. CAcert does this,
> and also AFAIK, Verisign does this although for perhaps different
> motives. In this case, the direct concern appears to be to establish
> the RPA or equivalent.
This also affects the certificates in the browser list, right?
What bugs me about the lack of certificate disclosure is that it
typicall covers less data which ICANN requires from registries and
accredited registrars to make available (at a few in some cases). DNS
provides quite a bit of transparency in this area (data accuracy
issues notwithstanding). The browser PKI is supposed to cover
matching data and to be more secure, yet very little data is published
(or made available for a fee) in searchable form by the certification
authorities themselves. I don't think this makes any sense whatsoever
--until you cynically assume that the opacity is there to protect CAs
from PR blunders and worse. 8-(
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
