Eddy Nigg (StartCom Ltd.) wrote: > Nelson Bolyard wrote: >> Regarding TurkTrust, if (as they say) the test certs come from a CA >> that chains up a separate, untrusted root, then all is well. But >> perhaps you could ask for a test cert and its chain, just to make sure >> it doesn't chain up to a to-be-trusted root? > In my opinion this is not enough, but as I indicated previously, the CA > policy and practice statements must be very clear in that respect. > Nobody else is to blame afterwards if it remains as is, because it's in > the CPS. Even if today the unvalidated certificates are issued from a > different root, it can be issued in the future from the root in the NSS > store, because that's what their CPS says today.
Thank you for that clarification, Eddy! I appreciate your thoroughness! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
