Hello
> In general, this cannot be done. It is possible to put "name constraints"
> on CAs that are subordinate to a root CA, but not generally on root CAs.
I was afraid of getting an answer like this but thanks for replying anyway. :)
> The user has control over which CAs he trusts. If there a
David,
As you've already discovered, there's not much difference between the
certs being in the cert db versus the certs being in the root certs module.
They're just two somewhat different ways to hold certs and their related
trust flags. While you're working out the detail, I suggest you keep on
Balint Balogh wrote:
> Hello
>
> Suppose Example Ltd. runs its own local CA that issues certificates to servers
> and email addresses at example.com and its subdomains. The certificate of this
> CA is installed as a trusted CA certificate into every browser (Firefox) and
> email client (Thunderbir
Michiel van Meersbergen wrote:
> Another 'oddity' I should mention, is that the PKCS#11 DLL which provides
> access to the appropriate certificates and keys will ask for the proper
> authentication itself - in other words, when a private-key function like
> 'decrypt', 'sign' or 'unwrap' is called,
Nelson, Frank and Kai:
Because of your terrific feedback and Nelson's comment below about the
fact that client revocation is actively being discussed another
colleague here in Verisign Engineering has joined this group. His name
is Rick Andrews and he will not only be monitoring the discussions b
Hello
Suppose Example Ltd. runs its own local CA that issues certificates to servers
and email addresses at example.com and its subdomains. The certificate of this
CA is installed as a trusted CA certificate into every browser (Firefox) and
email client (Thunderbird) of employees.
Example Ltd. wa
Michiel van Meersbergen wrote:
Hello list,
I'm running into some trouble with the SEC_PKCS7DecodeItem function. The input for this function is a PKCS#7 EnvelopedData object, which contains just one recipient, a session key (encrypted with the recipients' public key) and the encrypted content
David Stutzman wrote:
I added some certificates to the libnssckbi.so built-ins module that
aren't CA certificates. I found I can grab them in the code by
prefixing their nickname with "Builtin Object Token:" when I call
PK11_FindCertFromNickname.
Sometimes when I pass the certificate in to C
I added some certificates to the libnssckbi.so built-ins module that
aren't CA certificates. I found I can grab them in the code by
prefixing their nickname with "Builtin Object Token:" when I call
PK11_FindCertFromNickname.
Sometimes when I pass the certificate in to CERT_VerifyCertificate,
Hello list,
I'm running into some trouble with the SEC_PKCS7DecodeItem function. The input
for this function is a PKCS#7 EnvelopedData object, which contains just one
recipient, a session key (encrypted with the recipients' public key) and the
encrypted contents, encrypted with the above m
10 matches
Mail list logo
