On Fri, Jun 02, 2017 at 09:54:55AM -0400, Ryan Sleevi via dev-security-policy wrote: > The general principle I was trying to capture was one of "Only sign these > defined structures, and only do so in a manner conforming to their > appropriate encoding, and only do so after validating all the necessary > information. Anything else is 'misissuance' - of a certificate, a CRL, an > OCSP response, or a Signed-Thingy"
For whatever it is worth, I am a fan of this way of defining "misissuance". - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy