On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote:
> I guess there's actually an RFC for something like this?
> https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to
> see whether it's a good solution for this problem. I also don't think it
> requires an RFC to get something started.
It's not bad, for sure, but I think both Microsoft and Google's experiences
with specialized constraints and extensions aren't always fully represented by
5914. On a purely pragmatic level, it is a real pain to encode those
constraints - which is an ongoing issue itself with the NSS_TRUST flags and how
the binary representation of the structure is, is it extensible, etc.
The TL;DR: is that each CA incident has resulted in a special response, always
with the goal of minimizing user impact relevant to the significance of the
But it's doable, if we don't hate ASN.1 too much :)
dev-security-policy mailing list