Would it be possible for the browser to programmatically tell when an SSL connection is secured by a "domain validation only" cert? (I suspect not, but it's worth asking.)
This is difficult for a couple of reasons:
* There is no uniform mechanism by which CAs indicate in the cert itself what level of assurance (or alternately, what type of subscriber validation) is associated with the cert. Some have suggested that CAs standardize on a way to do this, but this is a future possibility not a present reality. We could attempt to look at each root CA and make an individual determination as to what type of validation they were performing, and then make our own classification (e.g., through our keeping a separate list mapping CAs to assurance levels or validation types), but ...
* Often CAs will have a single root CA cert and then multiple intermediate CAs under that root to actually issue certs to end users, with one intermediate CA issuing "low-assurance" certs and another (under the same root) issuing "high-assurance" certs. This makes it more difficult to create a CA "assurance level" list as described in the previous item, and also makes it difficult to reject a CA due to their issuing low-assurance certs without also rejecting their high-assurance certs as well.
(One way around this is to explicitly store intermediate CA certs in the built-in list. Nelson and others have previously been against this idea for various good reasons, but we may have to end up looking at this.)
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
