I'm wondering how you think that policy will be distributed and why it needs signed. …
For instance it might come as part of some software distribution (like a browser), and either you trust all the files in that distribution or you don't. I agree that an unsigned variant of CLP makes sense. But it seems to me that if CLP is signed by the certificate that can be verified using standard chain of trust, it has some advantages. I think it makes perfect sense to sign CLP, because it allows you to separate trust in the server you’re downloading the content from and the content itself.
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev