Am 2012-02-20 12:59, schrieb Gervase Markham: > I don't think this would be terribly practical. If the length constraint > was 1, then the CA would need to issue all subscriber certs directly off > the root - which is a strongly discouraged practice. If the length > constraint was 2, then the CA could still issue subordinates.
I assumed that intermediates change less often than they do, so the legnth constraint approach won't work. The best solution to achieve this would probably be an agreement with the CA that they will not issue any new Sub-CAs at all or that they will issue them only from a specific intermediate that can be blacklisted in Mozilla. If the CA does not want to agree to that (or violates the agreement), the root would have to be removed. Sub-CAs issued before the agreement was made would need to be disclosed (at least by certificate fingerprint/serial) and blacklisted, unless they are supposed to stay valid. This should be doable, as I doubt that a CA issues thousand of Sub-CAs. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
