On 27 Dec 2015, at 13:38, Eliot Lear wrote: > One would like to believe that name constraints as specified by RFC 5280 could be useful, and yet experience seems to show otherwise. Perhaps all is not lost. I do not have much to say part from the interaction I already have had with CA/B Forum[1], and what SSAC view on the difference between DNS and traditional cert structure is[2]. My only point was that it is not at all the case that all registrars can make changes to any subdomain of a domain managed by a registry, which was what I read in what John wrote: > At that point, the number of trusted intermediaries gets back toward order 40 or 100, not one, unless the question is "do you control this domain" rather than "are you who you say you are". The registry do keep track of which ones of the registrars can make changes, so not every registrar (i.e. intermediary) can become "trusted". If I misunderstood what he wrote, my apologies. Patrik [1] SAC-057: https://www.icann.org/en/groups/ssac/documents/sac-057-en.pdf [2] SAC-075: https://www.icann.org/en/groups/ssac/documents/sac-075-en.pdf
Attachment:
signature.asc
Description: OpenPGP digital signature