Michael Ströder wrote, On 2008-12-30 04:49: > Ben Bucksch wrote: >> If we decide that a CA does not operate properly,.but we don't want to >> cause problems for users, another option would be to shorten the expiry >> date of the relevant root certs to one year or less. >> >> Technically, that should be possible. The cert is public anyways. > > But the accompanying private key is (hopefully) not public. > > Please, we shouldn't mess around with PKIX cert validation mechs. Just > removing the trust flags is sufficient.
Before any more people promote the removal of trust flags, I suggest you read https://bugzilla.mozilla.org/show_bug.cgi?id=470897#c11 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
