Hello,
I'm currently writing an extension for firefox that checks a fingerprint
from a SSL-Certificate against the stored fingerprint for a configured
domain. If the fingerprint does not match a warning appears. This extension
should support a trusted anchor without a CA like verisign and could be
t;[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To:
Sent: Saturday, August 19, 2006 00:55
Subject: Re: Forcing specific CA for domain
Hello
Gervase Markham wrote:
> If you think they might do that, why might they not do it for other
> domains your users use (e.g. their bank)?
They mig
Hello
Gervase Markham wrote:
> If you think they might do that, why might they not do it for other
> domains your users use (e.g. their bank)?
They might but I do not have direct control about that so I have to accept the
risk or try to reduce it through other means. However I have direct control
Risk management, Gervase. If a company/domain-owner can securely
identify what CA they use, that prevents any other CA -- even one who
ends up inadvertently issuing certificates contrary to their CPS --
from causing damage, and thus lowers the risk of any individual CA
that may be in any given br
Balint Balogh wrote:
> Without this security measure, any CA that has its certificates in client
> software has the power to thwart SSL/TLS security by issuing fake certificates
> claiming to belong to *.example.com servers or email addresses.
If you think they might do that, why might they not do
Hello
> This is consistent with what I said. Distrust all roots CAs but your own.
> Issue intermediate CA certs with name constraints that effectively replace
> all the distrusted root certs.
Now I guess I understand how this would work. This seems to be a viable
solution, but it is cumbersome an
Bob Relyea wrote:
>>> In general, this cannot be done. It is possible to put "name constraints"
>>> on CAs that are subordinate to a root CA, but not generally on root CAs.
>>>
>> I was afraid of getting an answer like this but thanks for replying anyway.
>> :)
>>
> This is the general p
Balint Balogh wrote:
Hello
In general, this cannot be done. It is possible to put "name constraints"
on CAs that are subordinate to a root CA, but not generally on root CAs.
I was afraid of getting an answer like this but thanks for replying anyway. :)
This is the general problem P
Hello
Kyle Hamilton wrote:
> Maybe a TXT record or recordset with the AKIDs that it authorizes to
> sign things in that domain?
I suppose you mean TXT records in the DNS.
(Excuse me for my ignorance but what is an AKID?)
TXT records in the DNS may be a moderately useful way of restricting the set
Maybe a TXT record or recordset with the AKIDs that it authorizes to
sign things in that domain?
-Kyle H
On 8/14/06, Balint Balogh <[EMAIL PROTECTED]> wrote:
Hello
> In general, this cannot be done. It is possible to put "name constraints"
> on CAs that are subordinate to a root CA, but not g
Hello
> In general, this cannot be done. It is possible to put "name constraints"
> on CAs that are subordinate to a root CA, but not generally on root CAs.
I was afraid of getting an answer like this but thanks for replying anyway. :)
> The user has control over which CAs he trusts. If there a
Balint Balogh wrote:
> Hello
>
> Suppose Example Ltd. runs its own local CA that issues certificates to servers
> and email addresses at example.com and its subdomains. The certificate of this
> CA is installed as a trusted CA certificate into every browser (Firefox) and
> email client (Thunderbir
12 matches
Mail list logo
