On Sat, Sep 28, 2024 at 07:43:09AM -0700, Watson Ladd wrote:
> > Nothing is gained by registries becoming (name constrained) WebPKI CAs.
> > Indeed that works poorly, because in the RRR model, the registrant has
> > no authenticated channel to the registry to request certificate
> > issuance, the
On Fri, Sep 27, 2024 at 11:55:52AM -0700, Watson Ladd wrote:
> Spurred by recent IDs and events I've been thinking harder about how
> to get what we want out of TLS, DNS, and their interaction at the
> WebPKI.
>
> Fundamentally browsers can't rely on DNS to provide information about
> authenticat
On Sat, Sep 28, 2024, 6:16 AM Viktor Dukhovni
wrote:
> On Fri, Sep 27, 2024 at 11:55:52AM -0700, Watson Ladd wrote:
>
> > Spurred by recent IDs and events I've been thinking harder about how
> > to get what we want out of TLS, DNS, and their interaction at the
> > WebPKI.
> >
> > Fundamentally br
