[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

Jeffrey Walton noloader at gmail.com
Sun Apr 5 18:03:10 EDT 2015


It appears Google's Internet Authority G2 (https://pki.google.com)
could be part of this program since the subordinate CA is certified by
GeoTrust Global CA. If you look at the certificate, it is *not* name
constrained so Google can mint certificates for any domain (and not
just its web properties). I'm not too worried about Google. But I
can't say the same for any old organization that joins this program.

Both the IETF and CA/B Forums have name constraints that could be used
to enforce policy. The relevant documents are RFC 5280, Name
Constraints and Baseline Requirements, 9.7 Technical Constraints in
Subordinate CA Certificates via Name Constraints.

I'm not sure if the program targeting organizations as a subordinate
CA is a bad idea or if GeoTrust is doing a bad job by not using name
constraints. But as it stands, I don't like the smell of things.

More information about the cryptography mailing list