On Fri 2022-01-21 15:23:56 +0000, Salz, Rich wrote: > Second, there is the history of poor behavior by some CA's, which > leads to the primary user agent (browsers, or perhaps TLS runtimes) > not being able to just completely trust them. Perhaps that historic > era has passed, and it is time for user agents to end their probation > of CA's? Not for me to say.
The argument of "we don't trust (some of) the CAs" is usually used to mean "we are not willing to accept their cryptographic assertions of identity in certain contexts". But here, you're using it to mean "we are going to accept their cryptographic assertions of identity even in contexts that they claim are not valid". This is a surprising inversion. --dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls