On 8/31/11 3:52 PM, Hill, Brad wrote: > Mozilla could add a certificate it controls to the trusted root > store with which it cross-signs other CA certs, adding a > nameConstraints in the process, yes?
In theory. In practice Firefox uses the historical certificate verification code and not the NSS pkix code, and the old code does not support constraints. We are working through a list of pkix bugs with the goal of switching over. -Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security