[cabfpub] A few technical details about the case by TURKTRUST

Gervase Markham gerv at mozilla.org
Mon Jan 7 11:06:02 UTC 2013

On 04/01/13 19:40, Rick Andrews wrote:
> I have one concern about the post process control you’ve put into place.
> You say that it will check the basicContraints value against the
> respective certificate policy. I’m worried that if that test profile
> gets put on the production system again, and certs are issued against
> it, your post process control will not alert you, because the test
> policy would say “add basicConstrains cA=true” and that would match the
> issued certificate.

I also had this concern. I think Rick's advice is very good.

Question for the group: would it be a good idea to recommend it as a
best practice that intermediates issued for the purpose of issuing
end-entity certificates have a path length constraint? As I understand
it, if TurkTrust's intermediate which mis-issued this certs had had such
a constraint, the *.google.com and other certs created by the firewall
appliance would not have worked. Am I right?


More information about the Public mailing list