[cryptography] airgaps in CAs

Arshad Noor arshad.noor at strongauth.com
Mon Dec 12 21:21:41 EST 2011

On 12/9/2011 12:27 AM, Adam Back wrote:

> Do the air gapped private PKI root certs (and if applicable their
> non-airgapped sub-CA certs they authorize) have the critical name
> constraint
> extension eg ".foocorp.com" meaning it is only valid for creating certs for
> *.foocorp.com?

The early ones did.  However, we stopped putting in the constraint as
we became aware that it created some operational headaches when
companies merged or acquired other companies, and needed certificates
under the domain-name of the merged/acquired company (to preserve
legacy applications and customers) which were different from the
domain names in the constraint.

Secondly, the constraint is perceived as protecting the TTP CA's more
than the Subject; and since the TTP did not mandate it in their CP,
there was no reason to include it.  (I have already heard that one TTP
CA is rethinking this and is considering mandating it on all new and
renewed certs).

> (I am presuming these private PKI certs are sub-CA certs certified by a CA
> listed in browsers.)

In some cases, that is correct.  Others are "closed" PKIs - self-signed
and only for internal use (example: as in multiple components of
bio-technology products that strongly authenticate to each other before
enabling the product's use).

Arshad Noor
StrongAuth, Inc.

More information about the cryptography mailing list