Mozilla changes policy to limit risk of subordinate CA certificate abuse

Sub-CA certificates will need to have technical constraints or be publicly disclosed and audited, Mozilla's new CA Certificate Policy says

By Lucian Constantin, IDG News Service |  Software

In practice, this means that CAs can't issue sub-CA certificates with name constraints extensions marked as critical, as required by the specification, because some clients will reject the certificates. As a result, version 1.1 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" guidelines released by the Certification Authority/Browser (CAB) Forum allows CAs to issue sub-CA certificates with name constraints set as non-critical.

"Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide," the Baseline Requirements (BRs) say.

The Mozilla Security Team said that version 2.1 of Mozilla's CA Certificate Policy requires CAs to update their operations and SSL certificate issuance to comply with version 1.1 of the CAB Forum's BRs. However, it's not immediately clear if Mozilla's new policy will allow name constraints extensions to be marked as non-critical or not, Ristic said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SoftwareWhite Papers & Webcasts

Webcast On Demand

HP DevOps KnowledgeVault

Sponsor: HP

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness