[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

Peter Bowen pzbowen at gmail.com
Mon Apr 6 10:30:29 EDT 2015


I think that press release is years old.  GeoTrust was bought by VeriSign
years ago who was then bought by Symantec.

This kind of agreement now requires the subordinate to be audited to the
same standards as all other public CAs.
On Apr 5, 2015 3:03 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:

>
> http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html
>
> It appears Google's Internet Authority G2 (https://pki.google.com)
> could be part of this program since the subordinate CA is certified by
> GeoTrust Global CA. If you look at the certificate, it is *not* name
> constrained so Google can mint certificates for any domain (and not
> just its web properties). I'm not too worried about Google. But I
> can't say the same for any old organization that joins this program.
>
> Both the IETF and CA/B Forums have name constraints that could be used
> to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name
> Constraints and Baseline Requirements, 9.7 Technical Constraints in
> Subordinate CA Certificates via Name Constraints.
>
> I'm not sure if the program targeting organizations as a subordinate
> CA is a bad idea or if GeoTrust is doing a bad job by not using name
> constraints. But as it stands, I don't like the smell of things.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150406/9d1c2c1d/attachment-0001.html>


More information about the cryptography mailing list