I was looking at our CA root list, and a lot of them seem like
"specialist" CAs that would only issue certs for a limited range of
hostnames. Could we formalize this, and have CAs indicate any such
restrictions as part of their application, then enforce it on our end?
That would limit the extent to which a compromise of one of these
"specialist" CAs could be exploited (e.g. we'd notice that a Dutch CA is
being used to sign the Mossad's website and cry foul, without
pre-pinning the CA for the presumably rarely visited Mossad site). If
one of the big CAs that issue certs all over were compromised there
would still be a problem of course, but we could conceivably demand more
diligence in terms of being added to our cert store from CAs that want
to issue certs to everyone .... and even if we don't we might trust some
them more than the specialist CAs to start with.
Has this been considered before? Is my assumption that a lot of the CAs
in our trust list would only issue to a small subset of possible
hostnames accurate? If so, is doing what I propose above feasible and
worthwhile?
Other than the above and CA pinning for particular sites, any other
ideas on how we can mitigate the scope of problems like this in the future?
-Boris
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
