Carl,
..
TAs can be constrained (at least in theory). The specs are there - just
no widely used implementation. There is no good reason to stick with the
unconstrained TA model we've been using, though name constraints at
internet scale are hard to define.
Many of the WebPKI TAs are revenue producing entities, and this they have no
desire
to be constrained in the range of names they can insert into the certs they
issue.
Of course one can imagine other TA models, which is why DANE is, IMHO, a great
alternative.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
