On 7/20/16, 12:06 PM, "Salz, Rich" <rs...@akamai.com> wrote:
>> >I think this could work, but I believe there are use cases >> >(specifically, CDNs) where people do not want to advertise the >>delegation. >> >> I favor solutions where the relying party can be aware of the >>delegation if >> they want to be. > >FWIW, in the CDN case origin sites generally *do not* want the end-user >to be able to know. > >I'd think legitimate origin owner desire trumps general visibility. Use the extension as the means of signaling authorization to the CA. The CA could omit the extension from the issued certificate when local policy permits it and include the extension in the certificate when it does not. Interested parties can verify the extension when present, disinterested parties can ignore it without penalty. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
