On 10/12/16 21:14, Brian Smith wrote: > "Unable to issue" means "unable to sign with the private key" which > can only happen if they don't have the private key. But they do have > the private key so they're always able to issue certificates with any > contents they want. Thus "unable to issue" is a not a useful criteria > since no CA meets it and so you need a different criteria.
This seems like a linguistic nit but, nevertheless, I have replaced "unable to issue server or email certificates" with "unable to issue working server or email certificates". A certificate issued which does not meet the name constraints of its issuing CA could fairly be called "non-working" in WebPKI terms. This makes it more clear while avoiding complicating matters by referencing what Firefox does or does not trust. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
