Hello, I'm working on an internet draft describing application-level analog of CRLs. I named the proposed file format Certificate Limitation Profile.
I think that current model of trust when only CAs can revoke the certificates issued by them does not fit current situation, and we also need app-level limitations, as browser vendors (Google, Mozilla) already do. Currently such limitations are hard coded into the particular software. Being standardized, it will be possible to reuse such limitations across various applications and avoid hard-coding. Here is the link to the draft: https://datatracker.ietf.org/doc/draft-belyavskiy-certificate-limitation-policy/ The current version of the draft (hopefully) describes necessary ASN.1 structures that are enough for the most practical cases. I have middle-term plans to provide a support of the draft in OpenSSL, if the idea seems interesting enough. Any feedback is welcome. Thank you! -- SY, Dmitry Belyavsky
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev