> Naïve question: why not simply get a constrained CA certificate and issue > short-validity end entity certs?
Wouldn't you need one for every potential user? And the nameConstraints then becomes a union of all SAN fields? > Short-lived credential approach seems more viable than > draft-mglt-lurk-tls-requirements-00 (which requires an additional round-trip > between the Edge Server and Content Provider). Except that the RSALG and/or "keyless SSL" approach are already deployed. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
