[SSL Observatory] the CA sub-CA smoking gun
Tom Ritter
tom at ritter.vg
Fri Feb 3 14:11:13 PST 2012
This popped up on mozilla.dev.security.policy:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/7a1c21bc445f8cb9/095cc78cec78a5b7#095cc78cec78a5b7
Comodo came out and said:
Comodo have not issued subordinate CA
certificates to enterprises for the purpose of transparently managing
encrypted traffic - or for any other activity contrary to Mozilla's CA
policy - although we received (and rejected) a request through normal
commercial channels for such sub-CA certificates to be issued.
And GlobalSign the same:
Over the last couple of years GlobalSign has received several requests
from large enterprises who run services such as Websense with a need for
this type of CA. We have declined in all cases. We've always recommended
for enterprises to create their own internal CA and seed those to their
client network.
Although they got called out on Trusted Root for Inhouse PKI
/Certificate Authority" product.
And I put in some relevant quotes from Peter Gutmann and Lucky Green
when this came up last time.
-tom
More information about the Observatory
mailing list