On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote:
> I guess there's actually an RFC for something like this?
> https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to
> see whether it's a good solution for this problem. I also don't think it
> requires an RFC to get something started.

It's not bad, for sure, but I think both Microsoft and Google's experiences 
with specialized constraints and extensions aren't always fully represented by 
5914. On a purely pragmatic level, it is a real pain to encode those 
constraints - which is an ongoing issue itself with the NSS_TRUST flags and how 
the binary representation of the structure is, is it extensible, etc.

The TL;DR: is that each CA incident has resulted in a special response, always 
with the goal of minimizing user impact relevant to the significance of the 

But it's doable, if we don't hate ASN.1 too much :)

dev-security-policy mailing list

Reply via email to