RE: [Fed-Talk] Change in Cert Validation in 10.6.4?
RE: [Fed-Talk] Change in Cert Validation in 10.6.4?
- Subject: RE: [Fed-Talk] Change in Cert Validation in 10.6.4?
- From: "Miller, Timothy J." <email@hidden>
- Date: Tue, 29 Jun 2010 15:09:11 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Change in Cert Validation in 10.6.4?
>Seems like the FBCA cert should be OK, but Apple doesn't like it. Seems
>like Apple is required to like it per RFC 5280 (or else advertise that
>they do not conform to the relevant IETF standards).
In the end, there's only one or two "fully conformant" PKI implementations, and AFAIK none of them are from the major OS vendors. :) Then there's the argument over what conformance actually means, since lots of things in the standards are ambiguous.
>I also don't think that the NASA CA is in the SystemCACertificates
>keychain as delivered by Apple. Should we complain about that as well?
Installing trust for your own PKIs is your own business. That's what client configuration control is for. That Apple includes the roots it does is a nice-to-have, not something they have to do.
>If there were one there I gather it wouldn't substitute for the chain
>supplied by the originator.
This is unclear and needs specific testing.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden