Erwann ABALEA wrote:
2011/8/1 Howard Chu<hyc@symas.com>: [...]If there were indeed anything to be gained by such a feature, it would also need to be implemented on clients. Look around - do any web browsers allow you to isolate CAs like this?Yes. You can basically isolate CAs into 3 categories (they can interleave): - CAs trusted to issue server certs - CAs trusted to issue email certs - CAs trusted to issue code signing certs
Again, nonsense. It's not up to the end-user to configure such things, it's up to the parent CA to set the appropriate keyUsage bits in the CA cert. Again *if you trust the CA in the first place* then you trust it, period. If you don't trust the CA to issue correctly generated certs, then that's a completely separate problem and you shouldn't be dealing with that CA anyway.
It's utter nonsense.What is non-sense is having a bag full of CAs for mixed usage. More, you even mix CAs that need to be sent to the client (so it can build a certificate path) with CAs that the server trust (to verify client certs).
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/