Re: HTTPS everywhere!
On Tue, Jun 17, 2014 at 02:34:27PM +0200, Jakub Wilk wrote:
> * Simon McVittie <email@example.com>, 2014-06-17, 13:20:
> >It should be possible to make a CA certificate that is only considered to
> >be valid for the spi-inc.org and debian.org subtrees, and then trust the
> >assertion that SPI control that certificate - but in widely-used
> >applications, that isn't possible.
> In theory, the Name Constraints extension should allow one to achieve what
> you said:
> No idea how well it is supported, though.
This should be supported by all libraries, and is being used.
More and more intermediate CAs are in the process of becomming