(Sorry if this gets double-posted. Something was wonky with the list
that seems to have filtered out the first one I posted.)
On 4/8/11 6:49 PM, Sid Stamm wrote:
- Implement subscription-based blocklisting of certs via update ping
(remove need to ship patch)
Is there a bug for this? Would this permit blocklisting of CA certs or
just EE? Would it allow third parties to maintain and distribute such
blocklists?
- CA locking functionality in HSTS or via CAA
I am not aware of a spec (yet) for HSTS to do this.
CAA (do-not-issue) is experimental track, and the draft is still pretty
rough.
DANE is standards track, and it anticipates this functionality in the
current draft section 2.3 -- cert type 2.
I suggest a DANE and/or HSTS approach.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security