Jean-Marc Desperrier wrote:
The correct X.509 mechanism to handle different level of assurance for CA is by using certificate policies.
I've read that claim before. Policy extensions contain OIDs that identify policies. I have seen very very little in the way of standarized policy OIDs. The US DOD has defined its own OIDs that don't seem to me to have general applicability in other markets. Seems to me that until there are a good number of standardized policy OIDs that can be used by mutually independent CAs, policy extensions will be just an idea.
Maybe I'm mistaken. If there's some large body of work on policy OID definitions that has escaped my notice, please feel free to enlighten me.
But this would require that implementations correctly support multiple certificate policies, equivalence between policies, a normalized set of policies to represent usual kind of assurance, and the validation of a certification path against a policy.
I think we're saying the same thing. Lack of universally accepted policies (er, policy OIDs) is hold policy extensions back. Even if NSS implemented policy extensions today, lack of policy definition would make it pretty useless, IMO.
In fact, the hardest point is to find out how this can be handled in terms of user interface.
I don't know how one would design *good* UI for policies while they remain so abstract.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
