[cabfpub] A few technical details about the case by TURKTRUST

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jan 4 20:29:04 UTC 2013

On 01/04/2013 09:40 PM, From Rick Andrews:
> I have one concern about the post process control you’ve put into 
> place. You say that it will check the basicContraints value against 
> the respective certificate policy. I’m worried that if that test 
> profile gets put on the production system again, and certs are issued 
> against it, your post process control will not alert you, because the 
> test policy would say “add basicConstrains cA=true” and that would 
> match the issued certificate.

Well, clearly CA certificates should be only issued from an off-line CA 
root which has nothing lost on any production environment. It's not 
clear to me why this has been done in first place (knowing how CA roots 
should be treated).

WebTrust has also a criteria about how development and test data is 
treated, I don't know what ETSI says about it.

Except issuing some test certificate, which however shouldn't involve 
any real subscribers, issuing from the CA root end-user certificates is 
yet another practice that should be banished by now, no? Is this what 
happened here?

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130104/1a399778/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130104/1a399778/attachment-0002.p7s>

More information about the Public mailing list