Nelson Bolyard wrote: > Regarding TurkTrust, if (as they say) the test certs come from a CA > that chains up a separate, untrusted root, then all is well. But > perhaps you could ask for a test cert and its chain, just to make sure > it doesn't chain up to a to-be-trusted root? In my opinion this is not enough, but as I indicated previously, the CA policy and practice statements must be very clear in that respect. Nobody else is to blame afterwards if it remains as is, because it's in the CPS. Even if today the unvalidated certificates are issued from a different root, it can be issued in the future from the root in the NSS store, because that's what their CPS says today.
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
