Frank Hecker wrote, On 2008-03-18 05:17: > Right now we don't have any technical mechanism to accept only EV > certificates issued within a CA hierarchy, but not EV certs from within > that same hierarchy.
I think there must be a word missing from that sentence. As it reads, it says "... to accept <thing A> but not <thing A>." I suspect you meant "... to accept EV certs, but not NON-EV certs, from the same CA hierarchy." Is that what you meant? > It's possible to imagine such a mechanism, but it > would require additional code at the NSS or PSM level. NSS offers methods to ask "Is this a valid cert (regardless of EV)" and "Is this a valid EV cert"? With those two methods, it is possible for a user of NSS (such as PSM) to achieve the result that (I *think*) you described (EV or non-EV certs accepted exclusively, subordinate to some root) But I do not understand under what circumstances such a thing would be desired. How would the browser decide when to invoke this rule? How would the browser discern a CA hierarchy in which both EV and non-EV certs are accepted from one in which only EV (or only non-EV) certs were to be accepted? > If there's a general feeling that such a mechanism would be useful then > people are free to contibute it or (if no one is willing or able to do > it) the Mozilla Foundation could help fund its creation. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
