Duane wrote: > Nelson B wrote: > >> Choosing to be a low-assurance CA is a legit choice, IMO, as long as >> the low assurance CA doesn't then issue certs used in applications >> that require high assurance. > > > Is there something that can be done to add extra bits to the server > certs,
I wish there were some way, but I don't know of any standard way to represent the amount/strength of authenticity checking done by CAs prior to issuance. There would have to be a new extension, or alternatively it could be new info stored along with the cert in NSS's cert store.
I think the X.509 folks never dreamed that there would exist low-assurance CAs. They assumed all CAs would be high assurance. They were thinking of an X.500 world model, in which directories and CAs in each country would be governmentally regulated, and hence held to high standards by their governments (as seems to be the case in the EU, whence the X.500 folks came).
> when I see "Class 3" server certificates in the browser it's > purely informational,
AFAIK, there's no uniform standard for classes. It might help a lot if there were. WebTrust doesn't require classes. They test only that a CA does what their CPS says, whatever that is.
> why not mark those certificates high trust with bits in the nss libs > and then have the chrome show this information,
I think my predecessors (original designers of NSS) thought that all SSL and code-signing CAs would be high assurance, and therefore thought that the 3 trust bits (email, SSL, code signing) were enough to distinguish (root CA) certs as to level of assurance.
-- Nelson B _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto