Paul Hoffman wrote, On 2008-12-24 09:55: > At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote: >> I'd like to see an extension that allows other certificates (for the >> same public key) to be included in a certificate (self-signed or not). > > Are you asking for a Mozilla extension or a PKIX extension? If the > latter, none is needed: it is already inherent in PKIX. In fact, I am not > sure that anything needs to be done by Mozilla. The following should > theoretically work: > > - Remove all trust anchors one-by-one > - Add your single trust anchor > - Sign the certs of any CA you want > - Add those signed certs to the pre-loaded validation path (not root) > cert list > > I haven't tried this myself, but it should work. I have been told that > something very similar to it works fine in XP/Vista for IE.
Of course, that is COMPLETELY equivalent to simply setting trust flags on the CA certs you want to trust, and removing those flags from the ones you don't want to trust, which is already a part of Mozilla browsers (and Netscape browsers, before them) for over 14 years. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
