Nelson B wrote:I think the X.509 folks never dreamed that there would exist low-assurance CAs. They assumed all CAs would be high assurance.
That's just naive... What other types of security, physical or other wise uses a 1 size fits all policy?
The correct X.509 mechanism to handle different level of assurance for CA is by using certificate policies.
But this would require that implementations correctly support multiple certificate policies, equivalence between policies, a normalized set of policies to represent usual kind of assurance, and the validation of a certification path against a policy.
In fact, the hardest point is to find out how this can be handled in terms of user interface.
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
