(please send follow-ups to mozilla.dev.tech.crypto)
Brian has in the past discussed proposed updates to NSS that would allow
us to penalize bad CA behavior by removing trust of all certs from a
given CA that were issued after a given date (or even for X amount of
time after a given date).
On 19/02/12 04:30, Jan Schejbal wrote:
A different interesting approach for a punishment could be removal of
the ability to create Sub-CAs. This would not put a CA out of business
like other solutions, but hurt it and most importantly, remove an
extremely risky ability.
This could probably be
On 2/18/12 11:30 PM, Jan Schejbal wrote:
Am 2012-02-19 02:46, schrieb Stephen Schultze:
Brian, any thoughts on this? Is this something we should be holding out
for, or should we look to other approaches?
A different interesting approach for a punishment could be removal of
the ability to
Am 2012-02-20 12:59, schrieb Gervase Markham:
I don't think this would be terribly practical. If the length constraint
was 1, then the CA would need to issue all subscriber certs directly off
the root - which is a strongly discouraged practice. If the length
constraint was 2, then the CA could
On 19.02.2012 02:46, Stephen Schultze wrote:
Brian has in the past discussed proposed updates to NSS that would
allow us to penalize bad CA behavior by removing trust of all certs
from a given CA that were issued after a given date (or even for X
amount of time after a given date).
Someone
On Sat, Feb 18, 2012 at 5:46 PM, Stephen Schultze sjschultze.use...@gmail.com
wrote:
Brian has in the past discussed proposed updates to NSS that would allow us
to penalize bad CA behavior by removing trust of all certs from a given CA
that were issued after a given date (or even for X amount
Am 2012-02-19 02:46, schrieb Stephen Schultze:
Brian, any thoughts on this? Is this something we should be holding out
for, or should we look to other approaches?
A different interesting approach for a punishment could be removal of
the ability to create Sub-CAs. This would not put a CA out
Am 2012-02-19 06:00, schrieb Stephen Schultze:
Yes, but it would also break all existing certs issued by that CA that
are in the wild, which is one of the reasons that Mozilla has been so
resistant to removing roots in the first place.
Why? The point was only breaking the certs signed by
8 matches
Mail list logo