At 1:49 PM +0100 12/30/08, Michael Ströder wrote:
>Please, we shouldn't mess around with PKIX cert validation mechs.
Fully agree. The definition of the notAfter field in PKIX has nearly nothing to
do with "expiry". It is widely argued whether or not this field is even useful
in self-signed certi
On 30.12.2008 17:28, Nelson B Bolyard wrote:
Before any more people promote the removal of trust flags, I suggest you
read https://bugzilla.mozilla.org/show_bug.cgi?id=470897#c11
Yes, granted.
But
- we can yank the entire root. I *think* that's what Michael meant. It
may or may not be wha
Michael Ströder wrote, On 2008-12-30 04:49:
> Ben Bucksch wrote:
>> If we decide that a CA does not operate properly,.but we don't want to
>> cause problems for users, another option would be to shorten the expiry
>> date of the relevant root certs to one year or less.
>>
>> Technically, that shoul
On 30.12.2008 13:49, Michael Ströder wrote:
I see no problem the schedule the removal of a trust flag. For
security reasons all users have to update browsers from time to time
anyway. ;-}
Yup, that's the low-tech version of effectively doing the same. And it
gives more flexibility.
_
Ben Bucksch wrote:
> If we decide that a CA does not operate properly,.but we don't want to
> cause problems for users, another option would be to shorten the expiry
> date of the relevant root certs to one year or less.
>
> Technically, that should be possible. The cert is public anyways.
But th
On 30/12/08 06:30, Ben Bucksch wrote:
If we decide that a CA does not operate properly,.but we don't want to
cause problems for users, another option would be to shorten the expiry
date of the relevant root certs to one year or less.
Technically, that should be possible. The cert is public anywa
If we decide that a CA does not operate properly,.but we don't want to
cause problems for users, another option would be to shorten the expiry
date of the relevant root certs to one year or less.
Technically, that should be possible. The cert is public anyways. The
current certs are probably s
7 matches
Mail list logo
