Nelson Bolyard wrote:
Gervase Markham wrote:
Ben Bucksch wrote:
Actually, not even that is necessary. Classes each have their own root
cert, so we can simply match root certs to level in our software,
using a list that is just as hardcoded as our root certs, and matches
the assigned levels.
That assumes CAs only issue one type of cert from a particular root.
Sadly, I believe this is not universally true.
In fact, the invention of certificate policy extensions with policy OIDs
was done to eliminate the necessity of separate roots for each issuer
policy. One root can issue certs (typically subordinate CA certs) each
with a different policy OID.
OK, so then the client can do this based on OID. This is exactly what
Eddy was proposing.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
