I agree, that's why I only see a security gain if the theft of the certificate remains undetected.
On 05/04/17 14:35, Salz, Rich wrote: >> Server operators >> often want to create short-lived certificates for servers in low- >> trust zones such as CDNs or remote data centers. > But as currently specified, that low-trust short-lived certificate, if > captured, can be used to spoof the operator anywhere else in the world. Yes, > for a shorter time than the long-lived "true" key, but this still seems like > a footgun. > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
