On 6 November 2013 17:56, Stephen Kent <[email protected]> wrote: > > On 11/6/13 12:32 PM, Ben Laurie wrote: >>> >>> The second statement, though, is not a reasonable comparison. registrars >>> operate >>> with the equivalent of name constraints, from a cert issuance >>> perspective, >>> which >>> makes it much better that the WebPKI TA model. Even if the TAs in that >>> model >>> were >>> to issue certs including a name constraints extension, the effect would >>> not be as good as what we have in the DNSSEC/DANE environment. >> >> I accept that _registries_ are name constrained. Registrars less so. > > yes, I was sloppy in my terminology. > >> Not sure I get why this is better than name constrained certificate >> chains, tho? >> > because the constrained chains begin somewhere below the TA, which leaves > EVERY > TA free to create ANY subordinate CA. Also, ccTLDs represent the sort of > sovereign alignment to a PKI that many folks find attractive.
For exactly the reason many find it unattractive :-) _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
