This got a lot of discussion early in the design process and the consensus was that the risk of having the default mode (with existing certs) allow the creation of a long-term delegation was too high. See, for instance, the relative impact of the recent paper by Jager at al. [0] on TLS 1.3 and QUIC.
With that said, I think this would be a good feature to look at in future and the right way to do it is to: 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to PKIX. 2. Add a subcert extension to TLS 1.3. Best, -Ekr [0] https://www.nds.rub.de/media/nds/.../2015/08/21/*Tls13Quic*Attacks.pdf On Wed, Mar 30, 2016 at 2:46 AM, Bill Cox <waywardg...@google.com> wrote: > IIRC, TLS 1.3 will not offer big companies the ability to create > short-lived sub-certificates specific to remote satellite locations. This > forces companies to choose between good physical security for their signing > certs, or having fast connection times. Am I recalling correctly that TLS > 1.3 has this problem? I thought we fixed this in QUIC crypto. > > Thanks, > Bill > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
