Hiya, On 18/01/2020 15:14, Ryan Sleevi wrote: > The only way you sort through those is to make sure the only two parties > are you and the CA - aka defining a root store.
I disagree. PKI inherently has 3 parties involved. Ignoring any one or two of them is what I think leads to the kind of silliness that results in us even mentioning possible mass revocation because of an ill-defined OID. Heartbleed might just about have justified that, this very much does not. I do fully agree with you that the idea that end entities ever read a CP/CPS is about as realistic as "click yes to accept cookies" or other similar things being meaningful. Sadly, such legal nonsense does seem to be required but we ought not let it drive what we do - in this case, IMO the blindingly obviously correct thing to do is to recognise the reality of the use of the OID and regularise that. But if that's not going to happen, then the 2nd best (and 99.999% just as good) thing to do is to happily continue to ignore the supposed problem. Cheers, S.
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
