Peter Gutmann wrote:
[...] Among other things,
it says that CA root certs aren't subject to any verification (apart from
signature and validity, obviously).
No, the standard doesn't include signature and validity period checking
for the trust anchor.
I realize everybody does the validity period checking, and probably most
everybody does the signature checking for self-signed certificates used
as trust anchors.
But formally the Basic Path Validation algorithm doesn't include those.
Still, you know that it's allowed to use the information inside the
trust anchor certificate as additional input to restrict the path
validation or initialize the constraints it uses.
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
