On Fri, Jul 15, 2016 at 12:28:18AM +0000, Andrei Popov wrote: > Naïve question: why not simply get a constrained CA certificate and > issue short-validity end entity certs? Unless I’m missing something, > this would work with existing TLS implementations, no extensions > required.
The I-D actually covers this. Additionally, I think getting NC certificate is quite expensive/difficult. > Short-lived credential approach seems more viable than > draft-mglt-lurk-tls-requirements-00 (which requires an additional > round-trip between the Edge Server and Content Provider). Those two serve different purposes. Sometimes you really need the ES/KS split, sometimes short-lived certs would be more useful. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
