On Wed, Dec 24, 2008 at 6:17 AM, Frank Hecker <hec...@mozillafoundation.org> wrote: > Gen Kanai wrote: >> >> More discussion on this topic over at Programming Reddit: >> >> >> http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/ > > Unfortunately the discussion devolved (as it always does :-) into the merits > of self-signed certificates. Oh well. > > Frank
Honestly, I get more mileage out of doing my own diligence. This is why I want to have my own root certificate that I can cross-sign the various commercial CA certificates with, so that I can revoke those cross-signatures if they turn out to have a problem. I'd like to see an extension that allows other certificates (for the same public key) to be included in a certificate (self-signed or not). This would protect against one of the threats against the OpenPGP model, would create a means for certifications to be cherry-picked for any given application, and would allow other identities for that public key to be added by the identity collector -- but would also create a linkage back to the identity collector's public key. (realistically, the only reason for the signature on an external certificate that contains an extension like this would be because no X.509 software handles the TBSCertificate structure without the signature.) -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
