[Cryptography] Request for a second opinion
Tushar Patel
tjpatel.tl at gmail.com
Fri Jul 9 16:01:13 EDT 2021
For some time, the CA browser forum has been using CAs that have the
extended key usage as "TLS Web Server Authentication, TLS Web Client".
However, I feel that this can lead to an attack, though CAs can be trusted,
the authority for the CA should be the validation of the leaf certificate
having the same flags. Yes, one could assume that the CA will safeguard the
private key, however, there are cases in which duplicates could be
generated and then used (at some later date).
In the case of SSO, this might be okay, however, in the case of passwords,
it could be extremely risky.
What do you think?
a. Request a change to CA browser policy?
b. Will it be okay to support such CA certs?
Thx.,
Tushar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210709/87a628c1/attachment.htm>
More information about the cryptography
mailing list