Jan Schejbal: > > I have started a new thread about this with an example why a blacklist > is the only way to go.
Please read the thread about Debian keys first: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/b2cda44a0e6c4d5c# > >> This is induced via the name constraint extension in CA certificates. >> This is up to the issuing CA. > > I would like to have a way to basically add a name constraint if the CA > didn't. As I specifically add the certificate, I should be able to > select "but trust this only for *.somedomain.de". > > As I need this for only this one CA, if it is possible to create a new > certificate with the same modulus it would be enough to give me some > pointers how to do that. You can try to edit the trust flags of that see (remove all trust) and when encountering a site with a certificate from that CA to add an exception. Wild cards go as well with the exceptions. >> If you can point to one CA even considering >> something like this, please forward the name >> of the CA. > > I assume that any chinese CA would do this, I do not know if there are > any. No, so far there aren't any yet. > But you can apply that to other countries. There is a CA located in > Israel that is trusted in FF. I think that if the Mossad wanted a fake > cert, they would get it fairly quickly, one way or the other. LOL!! I AM THE REPRESENTATIVE AND FOUNDER OF STARTCOM! I run the StartCom CA (the one located in Israel) and I can assure you that there is no such a thing, never was and never will be! :-) More on this topic: I guess the Mossad doesn't need the services of StartCom nor does any "party of interest" use certificates issued by a legitimate CA either. That's just pure FUD. > And I > don't know what would happen if the DHS or NSA asked Verisign for > something like this in the name of national security. > Nothing would happen...but I'll let the representative of Verisign confirm that by himself perhaps... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
