lundi 2 mars 2015

I want trusted SMIME certificates for 3rd parties. Is this a reasonable configuration?



I want to send out SMIME certificates with my emails, and want to deploy the following PKI



Root01  (All EKU, All Constrants, No Restrictions)

PolicyInt01 (Internal applications, not trusted by 3rd parties...)
PolicyExt01 (Name constraints = domain.com, EKU=Message signing) 

IssueExt01 (Issues certificates for PolicyExt01)


My intent is to ask external parties to trust PolicyExt01 and add that to the trusted root store. Since it is constrained, and limited in use, I think that most intelligent 3rd parties wouldn't have an issue with this.


Question




  • Is this an acceptable configuration for deploying trusted SMIME certs outside our organisation?




  • What changes would you make in order for you, yourself as a security admin, to this process?




  • Is there any risk of this certificate pkipolext01 cross-signing/chaining another certificate, causing unexpected escalation of rights?







Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)