At 1:46 PM -0800 12/24/08, Nelson B Bolyard wrote: >Paul Hoffman wrote, On 2008-12-24 09:55: > > - Remove all trust anchors one-by-one >> - Add your single trust anchor >> - Sign the certs of any CA you want >> - Add those signed certs to the pre-loaded validation path (not root) > > cert list > >Of course, that is COMPLETELY equivalent to simply setting trust flags on >the CA certs you want to trust, and removing those flags from the ones you >don't want to trust, which is already a part of Mozilla browsers (and >Netscape browsers, before them) for over 14 years.
Not "COMPLETELY", but close. What I proposed has a signature at the top of the hierarchy, which is what I thought that Kyle was asking for. The result is completely equivalent, but the format is slightly different. Of course, it is much easier for the people on this list to Insist With Exclamation Marks! that Mozilla fix this for them instead of them doing it themselves, but that problem is at different layer. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
