I read through draft-rescorla-tls-subcerts-01 and I ran into some basic questions.
I have been wondering why the TLS server operator obtains an end-entity certificate from a CA (which cannot be used to sign further certificates) instead of running an intermediate CA him-/herself instead. This would work without requiring any changes to the client side. The proposed solution, although technically feasible, will unfortunately take a long time to deploy since it requires cooperation from clients, servers, and also from CAs. What is also not clear to my why some of the certificate management protocols, which provide the necessary level of automation, cannot be used with CAs to request short-lived certificates. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls