On Mon, Nov 27, 2017 at 07:56:00PM +0300, Dmitry Belyavsky wrote: > Here is the link to the draft: > https://datatracker.ietf.org/doc/draft-belyavskiy-certificate-limitation-policy/
I'm wondering how you think that policy will be distributed and why it needs signed. I expect that there will always be some way of authenticating the document if you download it without requiring that the document is signed itself. For instance it might come as part of some software distribution (like a browser), and either you trust all the files in that distribution or you don't. If it's signed, who will be signing it, and how does the application know which key to use to verify the signature? I can also imagine that users might wish to modify that file, for instance add an internal CA or certificate, not trust some CA, ... They could of course generate their own key, and tell the software to use that key. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev