CA/Forbidden or Problematic Practices: Difference between revisions
(Create initial page) |
No edit summary |
||
| Line 1: | Line 1: | ||
== Problematic CA Practices == | == Problematic CA Practices == | ||
This page contains draft comments about various CA practices that | This page contains draft comments about various CA practices that have been the subject of discussion in past CA evaluations. In general these practices are not explicitly addressed by the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA certificate policy], and we do not necessarily consider them security risks. However we want to highlight them because they've occasioned concern in the past and have in some cases caused approval of applications to be delayed. Some of these practices may be addressed in future versions of the policy. | ||
=== Long-lived DV certificates === | === Long-lived DV certificates === | ||
Some CAs issue domain-validated certificates that have expiration times several years in the future. A DV certificate attests only to ownership and control of a domain name, and the owner of a domain name may have acquired it from others. It is therefore possible for the previous | |||
=== Wildcard SSL certificates === | === Wildcard SSL certificates === | ||
| Line 13: | Line 13: | ||
=== Issuing end entity certificates directly from roots === | === Issuing end entity certificates directly from roots === | ||
Some CAs issue end entity certificates directly from the root (i.e., signed using the root CA private key). This is not as secure as using an offline root and issuing certificates using a subordinate CA. | |||
Revision as of 16:57, 2 May 2008
Problematic CA Practices
This page contains draft comments about various CA practices that have been the subject of discussion in past CA evaluations. In general these practices are not explicitly addressed by the Mozilla CA certificate policy, and we do not necessarily consider them security risks. However we want to highlight them because they've occasioned concern in the past and have in some cases caused approval of applications to be delayed. Some of these practices may be addressed in future versions of the policy.
Long-lived DV certificates
Some CAs issue domain-validated certificates that have expiration times several years in the future. A DV certificate attests only to ownership and control of a domain name, and the owner of a domain name may have acquired it from others. It is therefore possible for the previous
Wildcard SSL certificates
To be written.
Issuing end entity certificates directly from roots
Some CAs issue end entity certificates directly from the root (i.e., signed using the root CA private key). This is not as secure as using an offline root and issuing certificates using a subordinate CA.