On 11/6/13 12:32 PM, Ben Laurie wrote:
The second statement, though, is not a reasonable comparison. registrars
operate
with the equivalent of name constraints, from a cert issuance perspective,
which
makes it much better that the WebPKI TA model. Even if the TAs in that model
were
to issue certs including a name constraints extension, the effect would
not be as good as what we have in the DNSSEC/DANE environment.
I accept that _registries_ are name constrained. Registrars less so.
yes, I was sloppy in my terminology.
Not sure I get why this is better than name constrained certificate chains, tho?
because the constrained chains begin somewhere below the TA, which
leaves EVERY
TA free to create ANY subordinate CA. Also, ccTLDs represent the sort of
sovereign alignment to a PKI that many folks find attractive.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
