On 2/14/12 10:04 PM, "Paul Lambert" <[email protected]> wrote:
><snip> >Ok. This is interesting topic. If I accept a random certificate it >should >be able to be constrained by the user/admin to a specific range of usage. >For TLS and classic PKI, this would be a range of DNS names. > >Right now, all the root certs in my store can create certificates in >most any range. A fundamental principle we need to consider is local >end-point constraint of trust. > >If I could do this - then the random root cert that I accept for >your signature could be locally constrained to be just for you or >a small domain range (e.g. an enterprise) Yep. There are specs that enable this (RFCs 5914 and 5937) but they are not in wide use. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
