[openssl-dev] Certificate Limitation Profile
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Nov 28 19:18:48 UTC 2017
I'm wondering how you think that policy will be distributed and
why it needs signed. …
For instance it might come as part of some software distribution (like a browser), and either
you trust all the files in that distribution or you don't.
I agree that an unsigned variant of CLP makes sense.
But it seems to me that if CLP is signed by the certificate that can be
verified using standard chain of trust, it has some advantages.
I think it makes perfect sense to sign CLP, because it allows you to separate trust in the server you’re downloading the content from and the content itself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20171128/09b52090/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20171128/09b52090/attachment.bin>
More information about the openssl-dev
mailing list