> On Wed, Sep 18, 2013 at 08:47:17PM +0000, Viktor Dukhovni wrote: > > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > > > and thus will start to be realistic for SMTP next year (provided > > > > DNSSEC gets off the ground) with the release of Postfix 2.11, and > > > > with luck also a DANE-capable Exim release. > > > > > > What's wrong with name-constrained intermediates? > > > > X.509 name constraints (critical extensions in general) typically > > don't work.
Which is why the CAB Forum and Mozilla made the pragmatic move to promote the use of X.509 name constraints as a non-critical extension. > > And public CAs don't generally sell intermediate CAs with name constraints. > Rather undercuts their business model. > Public CAs are starting to offer name-constrained intermediate CAs to suitable customers. Why wouldn't we? - It doesn't undercut our business model any more than selling a wildcard certificate. > -- > Viktor. Robin Alden Comodo _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography