In particular, it was proposed that a CA not issue different types of certificates under the same root CA, but instead use different roots for different types of certificates. This would in theory provide one way to distinguish the types for purposes of the UI, and would also in theory allow us to disable acceptance of "low assurance" certificates (i.e., by removing the root CA certificates for CAs issuing such certificates) should we ever feel the need to do so, without affecting acceptance of "high assurance" certificates.
This raises an interesting technical issue.
Would it be possible in NSS to use as a trusted CA something that is not a self signed certificate, therefore allowing to directly trust what is technically an intermediate CA ?
(A root CA is a self-signed CA, but the list included in NSS is more a list of trust anchors, and a trust anchor does not have to be a self-signed certificate.)
This would allow not be concerned anymore in the policy about such technical implementation details, because it would be possible to decide freely to trust only a part of the CA tree of any organisation.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
