>> So I think it would be best if the browser detected that there is >> a better-suited certificate (one which doesn't need explicit user >> interaction); the browser should then also invoke explicit approval >> if the NR certificate is used even though "select automatically" >> was configured (explaining that this specific certificate is a >> formal signature).
>That's an interesting idea. Please file an Enhancement request "bug" >in bugzilla.mozilla.org. But I wouldn't expect it to be implemented in >the next 6 months, because there's no much work scheduled ahead of it. >So in the meantime, get an EKU extension if you can. I would be very hesitant about such a change as the "algorithm" behind this "better-suited certificate" stuff is anything but clear[*]. In fact, it seems that most issuers do not make a distinction between signature and authentication certificates these days. The meaning of the NR-bit has been discussed to death in PKIX but no RFC was produced as there were no consensus on what it actually meant :-( Anders R *] There is to my knowledge no standard for identifying a "suite" of certificates, only local conventions. These conventions MAY be universal but I would not count on it. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
