On 2011/09/02 23:42 PDT, Daniel Veditz wrote: > On 8/31/11 3:52 PM, Hill, Brad wrote: >> Mozilla could add a certificate it controls to the trusted root >> store with which it cross-signs other CA certs, adding a >> nameConstraints in the process, yes?
Yes. > In theory. In practice Firefox uses the historical certificate > verification code and not the NSS pkix code, and the old code does > not support constraints. Untrue. The old code fully supports name constraints. I'm less sure about libPKIX. Consider that applying DNS name constraints to certificate common names is NOT standard practice, not required or suggested by the RFCs. NSS's old cert lib does it now. Not sure about libPKIX. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security