[cabfpub] A few technical details about the case by TURKTRUST

[Rick Andrews]

Eddy,

I agree with you, but AFAIK, TurkTrust issued these two certs from an online intermediate. Having your roots offline does not prevent the issuance of certs with cA=true in basicConstraints.

-Rick

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, January 04, 2013 12:29 PM
To: public at cabforum.org
Subject: Re: [cabfpub] A few technical details about the case by TURKTRUST


On 01/04/2013 09:40 PM, From Rick Andrews:
I have one concern about the post process control you’ve put into place. You say that it will check the basicContraints value against the respective certificate policy. I’m worried that if that test profile gets put on the production system again, and certs are issued against it, your post process control will not alert you, because the test policy would say “add basicConstrains cA=true” and that would match the issued certificate.

Well, clearly CA certificates should be only issued from an off-line CA root which has nothing lost on any production environment. It's not clear to me why this has been done in first place (knowing how CA roots should be treated).

WebTrust has also a criteria about how development and test data is treated, I don't know what ETSI says about it.

Except issuing some test certificate, which however shouldn't involve any real subscribers, issuing from the CA root end-user certificates is yet another practice that should be banished by now, no? Is this what happened here?

Regards



Signer:

Eddy Nigg, COO/CTO



StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130104/880958cf/attachment.html