On 12/03/15 22:54, Peter Kurrasch wrote: > This backwards compatibility problem is a fatal flaw, but I have an > alternative in mind: establish and enforce boundaries within the > intermediates. The browser can enforce a policy that a technical > constraint be specified somewhere between the root and the end cert. > Where exactly in the chain that happens is not important so long as it's > found and the boundaries established are not violated. The absence of > the constraint would flag an error. Or, perhaps, a special table would > be used to provide "default" boundaries.
What would prevent that constraint being extremely lax? Or what would prevent a CA issuing one intermediate for all the TLDs starting a-m, and another for all of the TLDs starting n-z? The mere presence of a restriction is not a meaningful restriction :-) > It is certainly a good idea to encourage any CA to self-constrain but we > do need a way to forcibly constrain all CA's. Allowing any CA to opt-out > defeats the whole purpose. And not allowing CAs to opt out means we are forcibly constraining the business areas in which particular CAs may operate. I shudder at the thought of the task of trying to do that in a fair manner. (And I don't think "preserve the status quo" is fair.) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy