On 26/06/17 17:36, Ryan Sleevi wrote: > Do you anticipate this being used to build trust decisions in other > products, or simply inform what CAs are trusted (roughly)?
I don't have strong opinions about what people use the data for; I would hope it would be usable for either purpose. After all, people use certdata.txt for the latter purpose even though https://wiki.mozilla.org/CA/Additional_Trust_Changes exists... > My understanding from the discussions is that this is targeted at the > latter - that is, informative, and not to be used for trust decision > capability - rather than being a full expression of the policies and > capabilities of the root store. I want it to be at least as capable as certdata.txt; I agree with the issues raised in previous discussions about a domain-specific language, and I don't want to go down the route of attempting something which can specify arbitrarily-complex restrictions. But it could certainly have reasonably simple mods like "only trusted for certs issued before date X", or "name constrained in this way". Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
