Bob Relyea wrote:
In addition, we only parse these kinds of constraints on intermediate certs (we currently don't have a mechanism to place name constraints on a trusted root. Even if the trusted root had constraints itself, they would be ignored once we identify the cert as trusted.
Would someone be able to estimate how much work it would be to extend the name constraints mechanism to the trusted roots, and add the ability for NSS to store its own name constraints, to be added to any in the root itself?
As you know, we do have a number of government CAs under consideration, and I would like to at least be able to propose that we make it policy that government-run or controlled CAs are trusted only for their country's TLD. I think it's only fair. But clearly I can't do that if it's a great deal of work, or if the NSS team is opposed to it for technical or other reasons.
Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
