[openssl-dev] Certificate Limitation Profile
Kurt Roeckx
kurt at roeckx.be
Tue Nov 28 12:25:04 UTC 2017
On Mon, Nov 27, 2017 at 07:56:00PM +0300, Dmitry Belyavsky wrote:
> Here is the link to the draft:
> https://datatracker.ietf.org/doc/draft-belyavskiy-certificate-limitation-policy/
I'm wondering how you think that policy will be distributed and
why it needs signed. I expect that there will always be some way
of authenticating the document if you download it without requiring
that the document is signed itself. For instance it might come
as part of some software distribution (like a browser), and either
you trust all the files in that distribution or you don't.
If it's signed, who will be signing it, and how does the
application know which key to use to verify the signature?
I can also imagine that users might wish to modify that file,
for instance add an internal CA or certificate, not trust some
CA, ... They could of course generate their own key, and tell the
software to use that key.
Kurt
More information about the openssl-dev
mailing list