[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!



* Simon McVittie <smcv@debian.org>, 2014-06-17, 13:20:
It should be possible to make a CA certificate that is only considered to be valid for the spi-inc.org and debian.org subtrees, and then trust the assertion that SPI control that certificate - but in widely-used applications, that isn't possible.

In theory, the Name Constraints extension should allow one to achieve what you said:
http://tools.ietf.org/html/rfc5280#section-4.2.1.10
No idea how well it is supported, though.

--
Jakub Wilk


Reply to: