On Thu, 16 Aug 2018, Matthew Hardeman via dev-security-policy wrote:
1. Run one or more root CAs
Why would people not in the business of being a CA do a better job than those currently in the CA business?
I recognize it's a radical departure from what is. I'm interested in understanding if anything proposed here is impossible. If what's proposed here CAN happen, AND IF we are confident that valid certificates for a domain label should unambiguously align to domain control, isn't this the ultimate solution?
If you want a radical change that makes it simpler, start doing TLSA in DNSSEC and skip the middle man that issues certs based on DNS records. Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy