On 19/02/12 04:30, Jan Schejbal wrote:
A different interesting approach for a punishment could be removal of
the ability to create Sub-CAs. This would not put a CA out of business
like other solutions, but hurt it and most importantly, remove an
extremely risky ability.
This could probably be done by removing the root and adding a new,
modified cert that has a length constraint (possibly adding all
still-allowed CA-owned sub-CAs if they issued Sub-CAs directly from
their root).
I don't think this would be terribly practical. If the length constraint
was 1, then the CA would need to issue all subscriber certs directly off
the root - which is a strongly discouraged practice. If the length
constraint was 2, then the CA could still issue subordinates.
The only way around this would be to add all the CA's existing
subordinates to NSS with length constraint 1. However, this would put a
significant crimp in the CA's day-to-day operations; creating new
subordinates is, as I understand it, something that happens reasonably
often (every few months, perhaps), for a diverse number of reasons. If
Firefox embeds all the intermediates, the CA suddenly has a ubiquity
problem, because if they issued a new one, we could not easily update
all older Firefoxes with it, particularly those which are no longer
supported.
You may say "well, giving the CA pain is the point", but it's worth
noting that your proposed course of action has significant side-effects.
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
