On Tue, 2015-03-24 at 14:29 -0700, Ryan Sleevi wrote: > For example, is your intent to prevent Google from running its own > intermediate for its properties? That's the effect of this proposal.
Ryan, thanks for your detailed response. Let me start by replying to the above part of your response. I'm not convinced my suggestion prevents your example of a corporation that wants an intermediate for their own purposes. Couldn't you get an intermediate that's constrained to the list of domains that Google controls? If you're worried that the intermediates are getting too big (because you have so many domains), couldn't you get multiple intermediates, each constrained to a subset of the domains that Google controls? In my suggestion this was scenario (a), and the CA wouldn't be repsonsible for mis-issuance by intermediates that are constrained to second-level domains (like google.com or google.co.uk). Kai _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
