Kyle, Kyle Hamilton wrote:
RFC3280 has been obsoleted by RFC5280.
True - sorry but I'm still working with the old RFC. NSS is not current on the standards yet.
Aside from that, though... ...did the people who created PKIX just not realize that if a non-root certificate needs the ability to be revoked, a root certificate would also?
Remember that PKIX standards are derived from X.509 which is not Internet-specific. In other environments, there may be more secure, offline methods for updating roots (eg. physical).
I think the distribution of trust anchors is something that nobody has really tried to generalize, because I think once again everybody is free to do it their own way. Some of those methods are secure, and others less so.
In general though, I think it's very hard to make anything secure - including your first Mozilla client download that contains your root, let alone an update to it - if you don't trust at least a single entity.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
