Nelson Bolyard wrote:
> Your proposal would require storing the equivalent of a name constraints
> extension along with the root CA cert. It would also require additional
> processing, because name constraints are generally not processed inside
> trust anchors. That is, usually a CA puts the name
Kyle Hamilton wrote:
> The Mozilla Foundation is the authority which determines whether a
> given root certificate is included in its default certificate list.
> If you're going to assert that it's "provable", you suddenly create a
> lot more liability for the Foundation -- because it's not provabl
On 3/22/07, Gervase Markham <[EMAIL PROTECTED]> wrote:
> Kyle Hamilton wrote:
>
> > The only function that limiting the types of things that a root can
> > sign certificates for is to raise the bar and force people who want to
> > do certain things (like sign code) to get identity certificates fro
Kyle Hamilton wrote:
> See, identity is identity.
I don't agree.
"This site's identity is www.example.com" is a different sort of
identity to "This site is owned and operated by Foo Corp. of Bermuda",
which is again different to "This site is owned and operated by Gervase
Markham, of Enfield,
On 3/21/07, Gervase Markham <[EMAIL PROTECTED]> wrote:
> >
> > All of the workarounds that have been emplaced are limited, necessarily,
> > by these two concepts. Now, you're advocating placing an external limit
> > on the trust allowed to be delegated from a trust anchor. (which is
> > also what
Kyle Hamilton wrote:
> I thought we'd had this type of conversation before... or maybe it was
> on the TLS discussion list, and I'm not remembering. Regardless...
I don't remember participating in one; maybe I wasn't around, or maybe
it was elsewhere. Regardless, you need to dust off your trust
I thought we'd had this type of conversation before... or maybe it
was on the TLS discussion list, and I'm not remembering. Regardless...
A "trust anchor" is a public key. (It's not a certificate that
contains the public key, or anything which can be validated with the
public key -- it's t
Nelson Bolyard wrote:
> Your proposal would require storing the equivalent of a name constraints
> extension along with the root CA cert. It would also require additional
> processing, because name constraints are generally not processed inside
> trust anchors. That is, usually a CA puts the name
Gervase Markham wrote:
> Bob Relyea wrote:
>> In addition, we only parse these kinds of constraints on intermediate
>> certs (we currently don't have a mechanism to place name constraints
>> on a trusted root. Even if the trusted root had constraints itself,
>> they would be ignored once we identif
Bob Relyea wrote:
In addition, we only parse these kinds of constraints on intermediate
certs (we currently don't have a mechanism to place name constraints on
a trusted root. Even if the trusted root had constraints itself, they
would be ignored once we identify the cert as trusted.
Would so
Frank Hecker wrote:
Wan-Teh Chang wrote:
Gervase Markham wrote:
I am interested in investigating with the NSS developers whether it
would be possible to restrict a particular root certificate to
signing end entity certificates only for domains with a particular TLD.
In this context Gerv
Frank Hecker wrote:
> Of course using name constraints in the classic sense requires the
cooperation of the CA (since they have to add the extension to the CA
cert). I think Gerv was thinking of the more general case where for
policy reasons we might want to impose constraints on a CA even in t
Wan-Teh Chang wrote:
Gervase Markham wrote:
I am interested in investigating with the NSS developers whether it
would be possible to restrict a particular root certificate to signing
end entity certificates only for domains with a particular TLD.
In this context Gerv's reference is to end-ent
Gervase Markham wrote:
I am interested in investigating with the NSS developers whether it
would be possible to restrict a particular root certificate to signing
end entity certificates only for domains with a particular TLD.
For example, I would like to admit the CA of the Government of Lilli
I am interested in investigating with the NSS developers whether it
would be possible to restrict a particular root certificate to signing
end entity certificates only for domains with a particular TLD.
For example, I would like to admit the CA of the Government of Lilliput
to the root store,
15 matches
Mail list logo
