Frank Hecker: > Eddy Nigg (StartCom Ltd.) wrote: > >> Oh, and it that respect I have another interesting question. Supposed a >> CA issues EV certificates (audited and conforming to the relevant >> criteria in every respect) but their other CA business (meaning non-EV) >> would fail to conform to the Mozilla CA policy, what would happen? What >> are the (technical) options and possibilities? Could a CA be trusted >> when issuing EV certificates but not for other types of certificates? Or >> must any EV enabled root also otherwise be enabled? What would we (have >> to) do in such a case? >> > > Right now we don't have any technical mechanism to accept only EV > certificates issued within a CA hierarchy, but not EV certs from within > that same hierarchy. It's possible to imagine such a mechanism, It's might be good to have, since one day we might need it. We'd also had to option doing so instead an all or nothing approach which might be wrong. > but it > would require additional code at the NSS or PSM level. Nelson, any estimates what that would involve? > If there's a general feeling that such a mechanism would be useful then > people are > free to contibute it or (if no one is willing or able to do it) the > Mozilla Foundation could help fund its creation. > It's not something we thought about previously, but is legitimate in every respect. Now, we might end up never be in such a situation, but who knows...what do you think? Wait until we'd be forced to? Or implement anyway (if possible)?
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
