Eddy Nigg (StartCom Ltd.) wrote: > Oh, and it that respect I have another interesting question. Supposed a > CA issues EV certificates (audited and conforming to the relevant > criteria in every respect) but their other CA business (meaning non-EV) > would fail to conform to the Mozilla CA policy, what would happen? What > are the (technical) options and possibilities? Could a CA be trusted > when issuing EV certificates but not for other types of certificates? Or > must any EV enabled root also otherwise be enabled? What would we (have > to) do in such a case?
Right now we don't have any technical mechanism to accept only EV certificates issued within a CA hierarchy, but not EV certs from within that same hierarchy. It's possible to imagine such a mechanism, but it would require additional code at the NSS or PSM level. If there's a general feeling that such a mechanism would be useful then people are free to contibute it or (if no one is willing or able to do it) the Mozilla Foundation could help fund its creation. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
