On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote: > I guess there's actually an RFC for something like this? > https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to > see whether it's a good solution for this problem. I also don't think it > requires an RFC to get something started.
It's not bad, for sure, but I think both Microsoft and Google's experiences with specialized constraints and extensions aren't always fully represented by 5914. On a purely pragmatic level, it is a real pain to encode those constraints - which is an ongoing issue itself with the NSS_TRUST flags and how the binary representation of the structure is, is it extensible, etc. The TL;DR: is that each CA incident has resulted in a special response, always with the goal of minimizing user impact relevant to the significance of the incident. But it's doable, if we don't hate ASN.1 too much :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy