On Wed, May 8, 2019 at 10:36 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> [ Note, I am arguing a neutral position on the specific proposal ] > > The common purpose of having an internally secured (managed or on-site) > CA in a public hierarchy is to have end certificates which are > simultaneously: > Despite my years of close experience with the implementation and details of the certificate verification engines within Google Chrome and Android, Mozilla Firefox, Apple iOS and macOS, and Microsoft Windows, including extensive work with Enterprise PKIs, I must admit, I have never heard of the scenario you're describing or actually being supported. Given that the remark is that such a desire is common, perhaps you can provide some external references documenting how one might go about configuring such a set-up, particularly in the context of TLS trust? Similarly, I'm not aware of any system that supports binding S/MIME identities to a particularly CA (effectively, CA pinning) - perhaps you can provide documentation and reference for systems that perform this? Thanks for helping me understand how this 'common' scenario is actually implemented, especially given that the underlying codebases do not support such distinctions. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
