On Mon, Nov 27, 2017 at 07:56:00PM +0300, Dmitry Belyavsky wrote:
> Here is the link to the draft:
> https://datatracker.ietf.org/doc/draft-belyavskiy-certificate-limitation-policy/

I'm wondering how you think that policy will be distributed and
why it needs signed. I expect that there will always be some way
of authenticating the document if you download it without requiring
that the document is signed itself. For instance it might come
as part of some software distribution (like a browser), and either
you trust all the files in that distribution or you don't.

If it's signed, who will be signing it, and how does the
application know which key to use to verify the signature?

I can also imagine that users might wish to modify that file,
for instance add an internal CA or certificate, not trust some
CA, ... They could of course generate their own key, and tell the
software to use that key.


openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to