Hello > This is consistent with what I said. Distrust all roots CAs but your own. > Issue intermediate CA certs with name constraints that effectively replace > all the distrusted root certs. Now I guess I understand how this would work. This seems to be a viable solution, but it is cumbersome and error-prone in the long run since one must keep track of root CAs included in client products, update certifications and root CA invalidations accordingly and roll them out to users.
A simple static policy would be a lot easier to setup, maintain and check for correctness. Regards, Balint Balogh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto