Eddy Nigg wrote: > On 04/01/2010 02:40 PM, Michael Ströder: >> You could also spend ~5000 EUR and have your own corporate sub-CA issuing >> certs for whatever DNS name you want. > > Which doesn't imply that no domain control validation is performed.
Off course everything is covered by contracts. But there isn't any domain control validation in the particular case I know of. An organization I know has such a sub-CA cert signed by a pre-installed trusted root CA. Domain control validation is practically impossible for the superior CA since this organization has tens of thousands domains registered. I know that this organization does not do anything bad so I won't mention the root CA here. But personally I take this as evidence that if you spent this fairly low amount of money you could issue arbitrary certs without the superior CA noticing it. IMO this could not even be discovered by audits if someone would want to hide bad activity. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
