Nelson Bolyard wrote: > > Now, there's simply no way that we can deny that those users are in control > of the CAs they trust. The collected trust information stored by NSS for > them is their trust anchor (in my view). >
I think it's possible that you've overstated the prominence of these users, since you probably hear from quite a lot of them. But, let's pretend I accept this claim as reality. Why should we limit the authority of CAs that users trust? You wrote that "name space constraints are a fundamental part of X.509 v3 certs" There are several fundamental parts of X.509 certs that are irrelevant in practice, so this argument seems to hinge on the premise that users actually care about the name space constraints in certs. I would welcome a concrete example of this capability being used in practice. I'm not too interested in the unmet promises of the PKI model. -Rob _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
