[cabfpub] A few technical details about the case by TURKTRUST

Madell, William bill.madell at trustis.com
Mon Jan 7 11:10:03 UTC 2013

Yes, that seems correct; probably worthwhile discussing such a constraint as a future best practice.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: 07 January 2013 11:06
To: Rick Andrews; mert.ozarar; public at cabforum.org
Subject: Re: [cabfpub] A few technical details about the case by TURKTRUST

On 04/01/13 19:40, Rick Andrews wrote:
> I have one concern about the post process control you’ve put into place.
> You say that it will check the basicContraints value against the
> respective certificate policy. I’m worried that if that test profile
> gets put on the production system again, and certs are issued against
> it, your post process control will not alert you, because the test
> policy would say “add basicConstrains cA=true” and that would match the
> issued certificate.

I also had this concern. I think Rick's advice is very good.

Question for the group: would it be a good idea to recommend it as a
best practice that intermediates issued for the purpose of issuing
end-entity certificates have a path length constraint? As I understand
it, if TurkTrust's intermediate which mis-issued this certs had had such
a constraint, the *.google.com and other certs created by the firewall
appliance would not have worked. Am I right?

Public mailing list
Public at cabforum.org

More information about the Public mailing list