Gervase Markham <[email protected]> wrote: > On 08/12/16 13:06, Brian Smith wrote: >> In particular, I suggest replacing "unable to issue server or email >> certificates" with "unable to issue *trusted* server or email >> certificates" or similar. > > I think I would prefer not to make that tie, because the obvious > question is "trusted in which version of Firefox"? I would prefer to > modify Firefox and the policy to match, but have the ability to skew > those two updates as necessary, rather than tie the policy to what > Firefox does directly.
"Unable to issue" means "unable to sign with the private key" which can only happen if they don't have the private key. But they do have the private key so they're always able to issue certificates with any contents they want. Thus "unable to issue" is a not a useful criteria since no CA meets it and so you need a different criteria. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
