[cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root
ag4ve.us at gmail.com
Mon Apr 6 11:21:41 EDT 2015
Good catch - it would seem 10 years old to be exact:
On Mon, Apr 6, 2015 at 10:30 AM, Peter Bowen <pzbowen at gmail.com> wrote:
> I think that press release is years old. GeoTrust was bought by VeriSign
> years ago who was then bought by Symantec.
> This kind of agreement now requires the subordinate to be audited to the
> same standards as all other public CAs.
> On Apr 5, 2015 3:03 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
>> It appears Google's Internet Authority G2 (https://pki.google.com)
>> could be part of this program since the subordinate CA is certified by
>> GeoTrust Global CA. If you look at the certificate, it is *not* name
>> constrained so Google can mint certificates for any domain (and not
>> just its web properties). I'm not too worried about Google. But I
>> can't say the same for any old organization that joins this program.
>> Both the IETF and CA/B Forums have name constraints that could be used
>> to enforce policy. The relevant documents are RFC 5280, 22.214.171.124 Name
>> Constraints and Baseline Requirements, 9.7 Technical Constraints in
>> Subordinate CA Certificates via Name Constraints.
>> I'm not sure if the program targeting organizations as a subordinate
>> CA is a bad idea or if GeoTrust is doing a bad job by not using name
>> constraints. But as it stands, I don't like the smell of things.
>> cryptography mailing list
>> cryptography at randombit.net
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography