On 26/03/15 03:59, Peter Kurrasch wrote: > Perhaps I chose my words poorly because my intention actually was to > avoid having to pass judgment at all. Instead of saying to a CA "we > don't trust you enough, please constrain" I was hoping for something > along the lines of "everybody is asked to constrain to make the > internet safer for everyone".
But you say "asked" - and that's the entire difference between my position and yours. I am saying "'ask' is OK; 'require' is not". You are arguing for 'require'. > In terms of who gets to issue for .com, I wouldn't impose a limit of > who can do it, just that you have to tell us you're doing it. If a > intermediate were to be constrained to .com, .net, and .org and > nothing else, I would be fine with that. That would actually be quite > an accomplishment if we could get every CA to just agree to that > much. It depends on the configuration of the CA's systems, but I'm not convinced that a CA significantly improves its security posture by having 10 intermediates which split the entire DNS space up into 10 pieces, rather than one. Those certs may well all be tied to the same issuing system. Also, it means they would have to cut a new intermediate every month, at the moment, if they wanted to serve the new gTLD market. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
