Why "almost every piece of PKIX validating software" ? I think it would be worth it if, at a minimum... - the majority of CAs added the extension to the certificates they issue, and... - Mozilla implemented support for the extension in NSS.
This would allow Mozilla to disable a weak algorithm quickly, without having to wait for the majority of certificates in the wild to stop using that algorithm for their main certificate signature. I think the biggest barrier to adoption would be convincing enough of the CAs to implement it. But perhaps the Mozilla CA Certificate Policy could be updated to require CAs to implement it? On Tuesday 13 January 2009 14:50:32 Paul Hoffman wrote: > At 9:55 AM +0000 1/13/09, Rob Stradling wrote: > >Thanks Ben. Perhaps it's time to have another go at canvassing support > > for the idea. In 2006, the PKIX WG didn't seem interested in tackling > > the problem I was trying to solve. > > > >Paul, do you think it's worth re-raising this idea with the PKIX WG ? > > Dunno. The WG seems willing to take on anything that will keep it alive > longer. On the other hand, even if your spec is accepted by the WG, I > highly doubt you will get enough implementation to make it worth your time. > That is, unless almost every piece of PKIX validating software added the > extension, it wouldn't really add much value. > > --Paul Hoffman > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
