[cabfpub] A few technical details about the case by TURKTRUST
Madell, William
bill.madell at trustis.com
Mon Jan 7 11:10:03 UTC 2013
Yes, that seems correct; probably worthwhile discussing such a constraint as a future best practice.
Cheers,
Bill
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: 07 January 2013 11:06
To: Rick Andrews; mert.ozarar; public at cabforum.org
Subject: Re: [cabfpub] A few technical details about the case by TURKTRUST
On 04/01/13 19:40, Rick Andrews wrote:
> I have one concern about the post process control you’ve put into place.
> You say that it will check the basicContraints value against the
> respective certificate policy. I’m worried that if that test profile
> gets put on the production system again, and certs are issued against
> it, your post process control will not alert you, because the test
> policy would say “add basicConstrains cA=true” and that would match the
> issued certificate.
I also had this concern. I think Rick's advice is very good.
Question for the group: would it be a good idea to recommend it as a
best practice that intermediates issued for the purpose of issuing
end-entity certificates have a path length constraint? As I understand
it, if TurkTrust's intermediate which mis-issued this certs had had such
a constraint, the *.google.com and other certs created by the firewall
appliance would not have worked. Am I right?
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list