At 1:49 PM +0100 12/30/08, Michael Ströder wrote: >Please, we shouldn't mess around with PKIX cert validation mechs.
Fully agree. The definition of the notAfter field in PKIX has nearly nothing to do with "expiry". It is widely argued whether or not this field is even useful in self-signed certificates, given the definition. >Just >removing the trust flags is sufficient. As Nelson points out (repeatedly), that's not sufficient. However, it is a better direction than futzing with the PKIX cert itself. Given what we know about incompetent and rogue subordinate CAs, having a "replacement cert" mechanism for NSS / Mozilla trust anchor stores would be great. >I see no problem the schedule the removal of a trust flag. For security >reasons all users have to update browsers from time to time anyway. ;-} Quite right. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
