[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate policy question

To: levitte@xxxxx, steve.hanna@xxxxxxx
Subject: Re: Certificate policy question
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 13 Dec 2002 20:37:32 +1300
Cc: dwfilli@xxxxxxxxxxxxxx, ietf-pkix@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Richard Levitte - VMS Whacker <levitte@xxxxx> writes:

>Additionally, it could be a good thing to have the possibility to distrust
>certain CAs (no, I don't believe a CRL entry is the right thing, or is there
>a reason code that means "the CA made a fool of itself"?  Either way, that
>would also only be possible in a mesh-type PKI, I think).

I've got that in my code, so you can specifically say "I don't trust this CA",
or "I don't trust this CA to issue certificates".  Unfortunately there's no
way to express "I don't trust this CA to not send out its private key as a
PKCS #12 file/encrypt its CRLs so you can't read them/engineer its way out of
a wet paper bag/etc".

>or is there a reason code that means "the CA made a fool of itself"?

There's always my idiotPolicy suggestion :-).

Peter.

Prev by Date: Re: Certificate policy question
Next by Date: Re: Certificate policy question
Previous by thread: Re: Certificate policy question
Next by thread: RFC 2527 Revision
Index(es):
- Date
- Thread