[SSL Observatory] things a CA should probably never sign
Jacob Appelbaum
jacob at appelbaum.net
Wed Nov 9 12:00:49 PST 2011
Hi,
I've had a few discussions with people about interesting things that a
CA should probably never sign for the public internet. A private CA or a
CA used simply for private purposes is obviously another story.
Off the top of my head and to kick things off:
non-FQDN host names such as 'mail'
scoped names that cannot be verified such as 'foo.bar.local'
Other things include:
high profile domains without manual verification
weakly keyed CSR with say a 3 or 512 bit key
It seems like this is ripe for a wiki or something that is public. Some
of these things may be a good debate but that they are issues at all for
someone is probably not much of a debate.
Thoughts?
Sincerely,
Jacob
More information about the Observatory
mailing list