2011/8/2 Howard Chu hyc@symas.com:
Erwann ABALEA wrote:
2011/8/1 Howard Chuhyc@symas.com: [...]
If there were indeed anything to be gained by such a feature, it would also need to be implemented on clients. Look around - do any web browsers allow you to isolate CAs like this?
Yes. You can basically isolate CAs into 3 categories (they can interleave): - CAs trusted to issue server certs - CAs trusted to issue email certs - CAs trusted to issue code signing certs
Again, nonsense. It's not up to the end-user to configure such things, it's up to the parent CA to set the appropriate keyUsage bits in the CA cert. Again *if you trust the CA in the first place* then you trust it, period. If you don't trust the CA to issue correctly generated certs, then that's a completely separate problem and you shouldn't be dealing with that CA anyway.
Have you ever been involved in having your CA certificate accepted by a browser vendor? Do you really think that because the CA has set the basicConstraints and keyUsage extensions to become a CA, then it is equally trustful for whatever use? Have you ever read a CP and its associated CPS, to verify what the CA performs to validate an identity? Do you really think Mozilla CA Policy people, Microsoft Roiot CA program people, Opera equivalent team, CABForum members are all X.509 illiterate guys?
I replied to your question: "Look around - do any web browsers allow you to isolate CAs like this?". You can find this by yourself in your browser. Display the list of CAs included, chose one, and edit its "trust bits", you'll find at least the 3 presented categories. After that, go to the Mozilla CA Policy set of web pages, and read about it. It's public.