Dear all,
Spurred by recent IDs and events I've been thinking harder about how
to get what we want out of TLS, DNS, and their interaction at the
WebPKI.
Fundamentally browsers can't rely on DNS to provide information about
authentication because resolvers break that connection, and enforcing
that
On Fri, 27 Sep 2024, 22:36 Watson Ladd, wrote:
> On Fri, Sep 27, 2024 at 1:34 PM Dmitry Belyavsky
> wrote:
> >
> > It looks like a terrible idea for me.
> >
> > Imagine a country that currently doesn't have any trusted roots included
> in browser's bundle. Currently such countries can suspend an
It looks like a terrible idea for me.
Imagine a country that currently doesn't have any trusted roots included in
browser's bundle. Currently such countries can suspend any domain in their
zone. Your proposal gives them an opportunity to transparently replace the
certificate that gives much more c
On Fri, Sep 27, 2024 at 1:34 PM Dmitry Belyavsky wrote:
>
> It looks like a terrible idea for me.
>
> Imagine a country that currently doesn't have any trusted roots included in
> browser's bundle. Currently such countries can suspend any domain in their
> zone. Your proposal gives them an oppor
It appears that Watson Ladd said:
>To my mind the registry should be able to issue X509 certs for second
>level domains/whoever controls a public suffix. After all, they know
>where you change DNS. Haven't sorted out how to deal with the level
>below that. Do others find this line of thought comp
