>>If I could do this - then the random root cert that I accept for >>your signature could be locally constrained to be just for you or >>a small domain range (e.g. an enterprise) > >Yep. There are specs that enable this (RFCs 5914 and 5937) but they are >not in wide use.
Thanks. Appreciate the pointers. Providing an explicit limitation of trust is an important design requirement. A well thought out design, but the complexity may be limiting adoption. Then again - the complexity is a function of the core 509 framework ... if trust expressions were easier to express would there be better adoption and more trustworthy implementations? Paul _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
