Hi Wen-Cheng, On 04/12/16 06:12, 王文正 wrote: > Requiring that Key rollover must be accompanied by DN rotation will > contradict with the PKIX standard and the original X.509 standard.
Leaving aside the particular situation we are in, in general the Web PKI uses X.509 and other standards as a guide, but if something doesn't work, or we stop allowing it for security reasons, that's just the way it is and that needs to be accepted. Take, for example, non-critical name constraints. Not allowed by the RFC, but used in the Web PKI. I note also that Mozilla's root store policy says: "This also includes (but again is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) might cause technical problems with the operation of our software..." If what you are trying to do doesn't work in our software, it may end up that we just shrug our shoulders and tell you to do something else. That's not definite, but it is a possible outcome you need to be prepared for. > If so, I do know how Mozilla can claim that the NSS is > interoperable with PKIX Certificate and CRL profile? If you are right, we may just have to stop claiming that :-) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy