[cabfpub] Misissuance of certificates
Sigbjørn Vik
sigbjorn at opera.com
Wed Dec 9 02:17:27 MST 2015
On 08-Dec-15 00:49, Ryan Sleevi wrote:
>
>
> On Mon, Dec 7, 2015 at 3:38 PM, Rick Andrews <Rick_Andrews at symantec.com
> <mailto:Rick_Andrews at symantec.com>> wrote:
>
> Sigbjørn,
>
> While we agree with this proposal, it wouldn't address our key use case.
>
> We've talked to very large customers about technically-constrained
> intermediates, and this is consistently not doable because their
> list of owned domains changes so frequently. After further
> consideration, issuing internal-only or non-browser certs from a
> private root is the most straightforward and comprehensive approach.
>
>
> Rick,
>
> When you say "private root", you mean a root that is exempted from the
> Baseline Requirements (presumably, because it is not a publicly trusted
> root), correct?
>
> If that's a correct understanding, would it be fair to interpret your
> response as meaning that you withdraw your concerns, because they would
> not affect you? Or are there still concerns you feel with this proposal
> that, even under the scenario you described, would require modification
> to the proposed language?
Let me lift this question to the group at large. Does the exception for
certificates issued from technically constrained intermediates solve any
use cases?
I am happy to leave it in there if it aids adoption of the ballot, but
if nobody is going to use it anyway, it will only add complications and
loopholes to the BRs, for no gain. In which case I'd rather remove it.
--
Sigbjørn Vik
Opera Software
More information about the Public
mailing list