Bob Relyea wrote: >>> In general, this cannot be done. It is possible to put "name constraints" >>> on CAs that are subordinate to a root CA, but not generally on root CAs. >>> >> I was afraid of getting an answer like this but thanks for replying anyway. >> :) >> > This is the general problem PKIX and cross certificates are supposed to > solve. > > In the PKIX model you would create a new intermediate with the same > subject and keys as the root cert you want to trust. You would then add > constraint extenstions to the intermediate to limit what name spaces it > can use (and what policies it can issue). That allows you to extend > limitted trust to other certificate domains.
This is consistent with what I said. Distrust all roots CAs but your own. Issue intermediate CA certs with name constraints that effectively replace all the distrusted root certs. > PKIX is currently planned for NSS 3.12, so won't be available in any > mozilla based products this year. He needn't wait for PKIX to do the above. PKIX is only needed if he's going to involve policy-based chain building. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
