On 9/15/13 2:08 PM, "Yaron Sheffer" <[email protected]> wrote:
>Hi Jim, > >Wouldn't the following be simpler and more natural than both proposals: > >- The organization maintains its own CA, maybe just for S/MIME client >certs. >- The CA cert is kept as a DNS record, signed by DANE. >- The CA cert is usage-limited, so it can be used for S/MIME only, and >only for addresses at this particular domain. [I suppose this is the >hard part. Is it allowed by X.509?] You'd need to write something to limit CA certificates in this manner. This may just be a matter of writing up processing rules to codify the recent CAB Forum changes to EKU usage. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
