Am 2012-02-19 06:00, schrieb Stephen Schultze: > > Yes, but it would also break all existing certs issued by that CA that > are in the wild, which is one of the reasons that Mozilla has been so > resistant to removing roots in the first place.
Why? The point was only breaking the certs signed by sub-CAs, which probably aren't that many. Existing certs would chain up to the new cert that is a copy of the old one only with a length constraint added (or to one of the intermediates, which would also be added with a length constraint). In case NSM does check the signature on installed CA certs (which I didn't think it did), this would have to be changed or the certs would need to be signed with a key generated just for this purpose (which, if needed, could be certified and added). Just to make it clear, I do support the original suggestion, this is just an additional one. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto