[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

ITechGeek itg at itechgeek.com
Sun Apr 5 18:25:05 EDT 2015


So does this mean Iran & the like can stop hacking CAs and buy their own
Geotrust cert to MITM their population?



-----------------------------------------------------------------------------------------------
-ITG (ITechGeek)
ITG at ITechGeek.Com
https://itg.nu/
GPG Keys: https://itg.nu/contact/gpg-key
Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A
Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook:
http://fb.me/Jbwa.Net

On Sun, Apr 5, 2015 at 6:03 PM, Jeffrey Walton <noloader at gmail.com> wrote:

>
> http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html
>
> It appears Google's Internet Authority G2 (https://pki.google.com)
> could be part of this program since the subordinate CA is certified by
> GeoTrust Global CA. If you look at the certificate, it is *not* name
> constrained so Google can mint certificates for any domain (and not
> just its web properties). I'm not too worried about Google. But I
> can't say the same for any old organization that joins this program.
>
> Both the IETF and CA/B Forums have name constraints that could be used
> to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name
> Constraints and Baseline Requirements, 9.7 Technical Constraints in
> Subordinate CA Certificates via Name Constraints.
>
> I'm not sure if the program targeting organizations as a subordinate
> CA is a bad idea or if GeoTrust is doing a bad job by not using name
> constraints. But as it stands, I don't like the smell of things.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150405/347027ff/attachment.html>


More information about the cryptography mailing list