David E. Ross wrote: > I encountered a situation in which a bank's Web site was secured by a > chain of certificates, two of which were intermediate certificates > controlled by third parties (not by the CA whose root certificate was at > the top of the chain). In this case, inspecting the CA's intermediate > certificates would not be sufficient since the CA does not own or > control the intermediate certificates.
We can require that the CA's CPS state that it enforces this restriction by contract on sub-CAs. I hope and presume that they already enforce various restrictions on operation on their sub CAs, so adding one more should not prove a problem. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto