[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

shawn wilson ag4ve.us at gmail.com
Mon Apr 6 11:21:41 EDT 2015


Good catch - it would seem 10 years old to be exact:
http://www.hostreview.com/news/050215geotrust.html

On Mon, Apr 6, 2015 at 10:30 AM, Peter Bowen <pzbowen at gmail.com> wrote:
> I think that press release is years old.  GeoTrust was bought by VeriSign
> years ago who was then bought by Symantec.
>
> This kind of agreement now requires the subordinate to be audited to the
> same standards as all other public CAs.
>
> On Apr 5, 2015 3:03 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
>>
>>
>> http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html
>>
>> It appears Google's Internet Authority G2 (https://pki.google.com)
>> could be part of this program since the subordinate CA is certified by
>> GeoTrust Global CA. If you look at the certificate, it is *not* name
>> constrained so Google can mint certificates for any domain (and not
>> just its web properties). I'm not too worried about Google. But I
>> can't say the same for any old organization that joins this program.
>>
>> Both the IETF and CA/B Forums have name constraints that could be used
>> to enforce policy. The relevant documents are RFC 5280, 4.2.1.10 Name
>> Constraints and Baseline Requirements, 9.7 Technical Constraints in
>> Subordinate CA Certificates via Name Constraints.
>>
>> I'm not sure if the program targeting organizations as a subordinate
>> CA is a bad idea or if GeoTrust is doing a bad job by not using name
>> constraints. But as it stands, I don't like the smell of things.
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>


More information about the cryptography mailing list