I couldn't find the reference off hand in your postings Frank but a
thought occurred to me that rather then removing CAs immediately, make a
small code change to reject any certificates issued by a CA after a
certain date if they were found to be in breach of any policies, MF or
otherwise.
The idea is you don't want to inconvenience any mozilla users with
existing certificates, but what about putting CAs on notice that until
XYZ criteria is rectified, they will be unable to issue further
certificates until the situation is rectified.
Possibly a few flaws in this idea I haven't considered, but could be a
purgatory before complete removal, or just deny any future certificates...
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
- Re: Proposed MF certificate policy... Scott Rea
- Re: Proposed MF certificate policy... Scott Rea
- Re: Proposed MF certificate policy... Duane
- Re: Proposed MF certificate policy... Nelson B
- Re: Proposed MF certificate policy and FAQ Julien Pierre
- Re: Proposed MF certificate policy and FAQ Duane
- Re: Proposed MF certificate policy and FAQ Frank Hecker
- Re: Proposed MF certificate policy and FAQ Julien Pierre
- Re: Proposed MF certificate policy and FAQ Duane
- Re: Proposed MF certificate policy and FAQ David Ross
