Hi Brian, On 18/11/16 19:13, Brian Smith wrote: > Regardless, the main point of that message of mine was left out: You could > limit, in policy and in code, the acceptable lifetime of name-constrained > externally-operated sub-CAs
Presumably the "externally-operated" part would need to be policy, or a code-detectable marker enforced by policy, because there's no way of detecting that otherwise? > and/or the end-entity certificates they issue > strictly, independently of whether it can be done for all certificates, and > doing so would be at least part of the solution to making name-constrained > externally-operated sub-CAs actually a viable alternative in the market. I'm not sure what you mean by "a viable alternative" - I thought the concern was to stop them proliferating, if what's underneath them was opaque? And if it's not opaque, why are they not a viable alternative now, and why would restricting their capabilities make them _more_ viable? Sorry to be lost, Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy