CA/Forbidden or Problematic Practices

From MozillaWiki
< CA
Revision as of 16:57, 2 May 2008 by Hecker (talk | contribs)
Jump to navigation Jump to search

Problematic CA Practices

This page contains draft comments about various CA practices that have been the subject of discussion in past CA evaluations. In general these practices are not explicitly addressed by the Mozilla CA certificate policy, and we do not necessarily consider them security risks. However we want to highlight them because they've occasioned concern in the past and have in some cases caused approval of applications to be delayed. Some of these practices may be addressed in future versions of the policy.

Long-lived DV certificates

Some CAs issue domain-validated certificates that have expiration times several years in the future. A DV certificate attests only to ownership and control of a domain name, and the owner of a domain name may have acquired it from others. It is therefore possible for the previous

Wildcard SSL certificates

To be written.

Issuing end entity certificates directly from roots

Some CAs issue end entity certificates directly from the root (i.e., signed using the root CA private key). This is not as secure as using an offline root and issuing certificates using a subordinate CA.

Retrieved from "https://wiki.mozilla.org/index.php?title=CA/Forbidden_or_Problematic_Practices&oldid=92084"