On Mon, Mar 23, 2026 at 06:21:47PM +0000, Tomas Gustavsson wrote: > > We should admit that the CA infrastructure has failed us for nearly > > all use-cases. Either the CA infrastructure is the web, and > > (despite the CA/B forum rules) it's OK to use web certs in non-web > > contexts. Or, the CA infrastructure is more than the web, and we > > need to have new,, non-web CAs with rules > > outside of the CA/B forum.
[I can't figure out who write this.] There was never _a singular_ PKI to refer to as _the_ PKI. The WebPKI is a collection of PKIs w/o name constraints, so not really _a PKI_. There is _a singular_ PKI of sorts today that we could refer to as _the_ PKI, though it is not an x.509 PKI: the DNS w/ DNSSEC. My advice is to pursue DANCE. > There are tons of CAs outside of the WebPKI/CA/B Forum ecosystem. For > web and non-web use cases. EU TSPs, X9 Financial PKI, Adobe, ICAO, > just to mention a few well known. [...] Right, and none are _the_ PKI. There is no _the PKI_ outside of DNSSEC. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
