On 30/08/2011 18:46, Boris Zbarsky wrote:
[...] Could we formalize this, and have CAs indicate any such restrictions as part of their application, then enforce it on our end? [...] Has this been considered before? [...]
Yes for government CA, in order to limit them to issue certificate only for their own ccTLD. And then it would be possible to not require them anymore to be certified by a private auditor.
I'd need to check where this is standing, at one point NSS could not enforce such a name constraint because of the legacy of including the server name inside the CN of the certificate. But AFAIR this is solved now, at least at NSS's level.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
