Short reply... Kyle Hamilton wrote: > However, if someone can put an EV cert in and mark it as such, then > that arguably causes more security issues for users. Thus, my > suggestion that Mozilla create a magic trust anchor to issue > EV-certified CAs from. > I think that MoFO doesn't want to build and maintain a PKI with all what it entails. That's why I ignored the idea and compared NSS as that trust anchor. Instead only including the EV issuing CA certificates could be an option for limitation. However I suspect that there won't be many supporting this, even if it would be the right thing to do...not sure if there are any other feasible alternative ways in that respect. >> Since I believe that overriding the path length isn't possible - and also >> not feasible if the same CA root issues also other certificates than EV, the >> only way to get some control is, to admit only the subordinated CA and mark >> it as EV enabled. It should have path length 0. >> > > Path length 1. It needs to be able to create host certs that would > have path length 0. > I think you just misunderstand the path length. It refers to CAs in the chain, it's part of the basic constraint attributes of certificates. A CA certificate with path length 0 can't issues another sub ordinated CA certificate, it issues only end user certificates. > > Ideally, I'd like to see EV roots create time-limited rolling CAs -- > maybe 2 years in length, certify with it for a year, then after one > year create another time-limited CA valid for 2 years, certify with it > for only a year... the 2 year lifespan would allow for the expiration > of the 1-year certs made by it at the end of the first year. > That idea would have been useful during the discussion on the EV guidelines last year, I guess it way too late now. Also EV CAs are allowed to issue EE certs for up to 23 month (if nothing changed in that respect since the draft version). But one year is for me the ideal validity of any EE cert!
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
