Maybe a TXT record or recordset with the AKIDs that it authorizes to sign things in that domain?
-Kyle H On 8/14/06, Balint Balogh <[EMAIL PROTECTED]> wrote:
Hello > In general, this cannot be done. It is possible to put "name constraints" > on CAs that are subordinate to a root CA, but not generally on root CAs. I was afraid of getting an answer like this but thanks for replying anyway. :) > The user has control over which CAs he trusts. If there are CAs in the > browser's list that the user believes to be untrustworthy, then the user > can tell his browser to actively distrust them. User control of that sort is an adequate tool if the issue is about a specific set of CAs considered untrustworthy in general. However the problem is the other way around: All except one CA (or set of CAs) are considered untrustworthy but only for a very specific purpose, they are considered trustworthy otherwise. > If you really don't trust any CAs except your own to be truthful to you, > then you should mark all other CAs but your own as distrusted. This is not a practical possibility because that would render SSL/TLS secured browsing and S/MIME secured email correspondence outside of example.com impossible. (Assuming users are trained to reject any communication attempt involving invalid certificates, which they should be if we are to talk about security at all.) It seems to me this issue is a grave security problem. Fortunately it can be corrected from the client side alone without touching established protocols and standards, by allowing users to set local policies about which CAs are allowed to sign certificates matching certain criteria (e.g. those that belong to a specific domain). I would really like to hear others' opinion about this issue. Regards, Balint Balogh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
-- -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
