[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain



Erwann ABALEA wrote:
2011/8/1 Howard Chu<hyc@symas.com>:
[...]
If there were indeed anything to be gained by such a feature, it would also
need to be implemented on clients. Look around - do any web browsers allow
you to isolate CAs like this?

Yes. You can basically isolate CAs into 3 categories (they can interleave):
  - CAs trusted to issue server certs
  - CAs trusted to issue email certs
  - CAs trusted to issue code signing certs

Again, nonsense. It's not up to the end-user to configure such things, it's up to the parent CA to set the appropriate keyUsage bits in the CA cert. Again *if you trust the CA in the first place* then you trust it, period. If you don't trust the CA to issue correctly generated certs, then that's a completely separate problem and you shouldn't be dealing with that CA anyway.

It's utter nonsense.

What is non-sense is having a bag full of CAs for mixed usage. More,
you even mix CAs that need to be sent to the client (so it can build a
certificate path) with CAs that the server trust (to verify client
certs).



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/