Hi Alan,
On 11/12/19 3:40 PM, Alan DeKok wrote:
On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote:
How does a public CA prove ownership of an SSID?
Do public CAs *always* verify addresses and/or telephone numbers, which are
normally included in certificates?
Do public CAs verify that email addresses in the certificate work?
Do public CAs verify that the OIDs in the certificate match the intended
use-cases?
Is there a global registry of SSIDs which the public CA could use to verify
the SSID?
I'm taking these as rhetorical questions with an implied "no". If that is
not the correct way of taking them then please let me know.
So the issue is, if the CA does not check any of these things then
you cannot
trust them in the certificate. The reason you trust the contents of a
certificate
is because you trust the CA has done the appropriate due diligence to
validate
the stuff it is certifying. If a CA doesn't do the due diligence on any
of the
above stuff and still issues a certificate containing that stuff then I
would
question the integrity of the CA and probably not trust other things it is
certifying. In other words, I'd probably remove that CA's cert from my TADB.
To put it another way, I'm not sure why this question is being posed.
Here's one: Why would you trust an attribute that was not validated?
Dan.
Alan DeKok.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
