It was in Alan DeKok's message. ________________________________ From: Nico Williams <[email protected]> Sent: Monday, March 23, 2026 11:37 AM To: Tomas Gustavsson <[email protected]> Cc: Michael Richardson <[email protected]>; Salz, Rich <[email protected]>; Tls <[email protected]>; [email protected] <[email protected]> Subject: Re: [lamps] Re: TLS Client Certificates; a survey
On Mon, Mar 23, 2026 at 06: 21: 47PM +0000, Tomas Gustavsson wrote: > > We should admit that the CA infrastructure has failed us for nearly > > all use-cases. Either the CA infrastructure is the web, and > > (despite the CA/B On Mon, Mar 23, 2026 at 06:21:47PM +0000, Tomas Gustavsson wrote: > > We should admit that the CA infrastructure has failed us for nearly > > all use-cases. Either the CA infrastructure is the web, and > > (despite the CA/B forum rules) it's OK to use web certs in non-web > > contexts. Or, the CA infrastructure is more than the web, and we > > need to have new,, non-web CAs with rules > > outside of the CA/B forum. [I can't figure out who write this.] There was never _a singular_ PKI to refer to as _the_ PKI. The WebPKI is a collection of PKIs w/o name constraints, so not really _a PKI_. There is _a singular_ PKI of sorts today that we could refer to as _the_ PKI, though it is not an x.509 PKI: the DNS w/ DNSSEC. My advice is to pursue DANCE. > There are tons of CAs outside of the WebPKI/CA/B Forum ecosystem. For > web and non-web use cases. EU TSPs, X9 Financial PKI, Adobe, ICAO, > just to mention a few well known. [...] Right, and none are _the_ PKI. There is no _the PKI_ outside of DNSSEC. Nico --
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
