[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cryptography] Request for a second opinion

For some time, the CA browser forum has been using CAs that have the extended key usage as "TLS Web Server Authentication, TLS Web Client".

However, I feel that this can lead to an attack, though CAs can be trusted, the authority for the CA should be the validation of the leaf certificate having the same flags. Yes, one could assume that the CA will safeguard the private key, however, there are cases in which duplicates could be generated and then used (at some later date).

In the case of SSO, this might be okay, however, in the case of passwords, it could be extremely risky.

What do you think?
a. Request a change to CA browser policy?
b. Will it be okay to support such CA certs?

The cryptography mailing list
cryptography AT metzdowd.com