|
Hi Patrik, On 12/27/15 6:35 AM, Patrik Fältström
wrote:
One would like to believe that name constraints as specified by RFC 5280 could be useful, and yet experience seems to show otherwise. Perhaps all is not lost. My understanding is that the browser crowd in particular have begun to tighten their requirements for having a CA in their cache. At least [1] seems to indicate so. Name constraints are an interesting area of perhaps some continued work. That is- it seems to me that all CAs should have some Name Constraints. Further, it also seems to me that very few CA certs should themselves be self-signed. Here's the problem, if ever there were a brown field, this is it. That requires some serious navigation through the installed base to make a change. Along these lines, I think many of us were quite fascinated by Google's "interaction" with Symantec[2] since it seems to represent a potential change in the dynamic.On 27 Dec 2015, at 4:11, John C Klensin wrote:At that point, the number of trusted intermediaries gets back toward order 40 or 100, not one, unless the question is "do you control this domain" rather than "are you who you say you are".It is not that bad as the domain in question is bound to one and only one registrar, which is a mapping that the registry is keeping track of. It is not the case that any registrar can do any change to any domain name. So, with todays CA system, any CA can sign a cert with any domain name in the CN. With the DNS and DNSSEC, only registries in the hierarchy from the root can publish the DS, and only one registrar can pass the DS to the parent for publication. Eliot [1] https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf [2] http://www.pcworld.com/article/2999146/encryption/google-threatens-action-against-symantec-issued-certificates-following-botched-investigation.html |
Attachment:
signature.asc
Description: OpenPGP digital signature