[SSL Observatory] things a CA should probably never sign
Kai Engert
kaie at kuix.de
Wed Nov 9 13:10:45 PST 2011
On 09.11.2011 21:00, Jacob Appelbaum wrote:
> Hi,
>
> I've had a few discussions with people about interesting things that a
> CA should probably never sign for the public internet.
Have you seen https://wiki.mozilla.org/CA:Problematic_Practices ?
You might be interested in newsgroup
mozilla.dev.security.policy at news.mozilla.org
where related discussions can be found.
> A private CA or a
> CA used simply for private purposes is obviously another story.
>
> Off the top of my head and to kick things off:
>
> non-FQDN host names such as 'mail'
> scoped names that cannot be verified such as 'foo.bar.local'
See also
https://wiki.mozilla.org/CA:Problematic_Practices#Issuing_SSL_Certificates_for_Internal_Domains
> Other things include:
>
> high profile domains without manual verification
See also
https://wiki.mozilla.org/CA:Communications#September_8.2C_2011
# 4)
for a recent request from Kathleen Wilson (who manages Mozilla's root CA
program).
> weakly keyed CSR with say a 3 or 512 bit key
See also
https://wiki.mozilla.org/CA:Problematic_Practices#Minimum_Key_Sizes
> It seems like this is ripe for a wiki or something that is public. Some
> of these things may be a good debate but that they are issues at all for
> someone is probably not much of a debate.
Best Regards
Kai
More information about the Observatory
mailing list