Gervase Markham wrote: > Ben Bucksch wrote: >> Actually, not even that is necessary. Classes each have their own root >> cert, so we can simply match root certs to level in our software, >> using a list that is just as hardcoded as our root certs, and matches >> the assigned levels. > > That assumes CAs only issue one type of cert from a particular root. > Sadly, I believe this is not universally true.
In fact, the invention of certificate policy extensions with policy OIDs was done to eliminate the necessity of separate roots for each issuer policy. One root can issue certs (typically subordinate CA certs) each with a different policy OID. This is actually intended to reduce the number of root CA certs that a single CA party (single CA company) would need, from N root certs (for N policies) to 1 root cert for all policies. [*] SO, we should no longer count on each class having its own root CA cert. Things just don't work that way any more. [*]: So, it's a little perplexing that the first activity of all the EV cert issuers seems to be to issue a new root cert. It's almost as if they don't understand this principle of moving away from one root CA cert per class/policy. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
