On 11/6/13 9:56 AM, "Stephen Kent" <[email protected]> wrote: > >On 11/6/13 12:32 PM, Ben Laurie wrote: >>> The second statement, though, is not a reasonable comparison. >>>registrars >>> operate >>> with the equivalent of name constraints, from a cert issuance >>>perspective, >>> which >>> makes it much better that the WebPKI TA model. Even if the TAs in that >>>model >>> were >>> to issue certs including a name constraints extension, the effect would >>> not be as good as what we have in the DNSSEC/DANE environment. >> I accept that _registries_ are name constrained. Registrars less so. >yes, I was sloppy in my terminology. >> Not sure I get why this is better than name constrained certificate >>chains, tho? >> >because the constrained chains begin somewhere below the TA, which >leaves EVERY >TA free to create ANY subordinate CA. Also, ccTLDs represent the sort of >sovereign alignment to a PKI that many folks find attractive.
TAs can be constrained (at least in theory). The specs are there - just no widely used implementation. There is no good reason to stick with the unconstrained TA model we've been using, though name constraints at internet scale are hard to define. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
