On 27 Dec 2015, at 13:38, Eliot Lear wrote:
One would like to believe that name constraints as specified by RFC 5280
could be useful, and yet experience seems to show otherwise. Perhaps all is
not lost.
I do not have much to say part from the interaction I already have had with
CA/B Forum[1], and what SSAC view on the difference between DNS and traditional
cert structure is[2].
My only point was that it is not at all the case that all registrars can make
changes to any subdomain of a domain managed by a registry, which was what I
read in what John wrote:
At that point, the number of trusted intermediaries gets back toward order 40
or 100, not one, unless the question is "do you control this domain" rather
than "are you who you say you are".
The registry do keep track of which ones of the registrars can make changes, so
not every registrar (i.e. intermediary) can become "trusted".
If I misunderstood what he wrote, my apologies.
Patrik
[1] SAC-057: https://www.icann.org/en/groups/ssac/documents/sac-057-en.pdf
[2] SAC-075: https://www.icann.org/en/groups/ssac/documents/sac-075-en.pdf
signature.asc
Description: OpenPGP digital signature