Nico Williams <[email protected]> wrote: > But also: how much does this differ from changing the Chrome Root > Program policy to say that intermediate CAs chaining to WebPKI roots can > only issue EE certs with clientAuth when they have only dNSName SANs > (and either empty DNs or just CN=<FQDN>)? Because this alternative is > much cheaper in terms of code that needs to change.
Yes. And do we have any chance that NameConstraints can be used finally? and/or marked critical. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
