On Mar 24, 2026, at 7:21 AM, Tomas Gustavsson <[email protected]> wrote: > > We should admit that the CA infrastructure has failed us for nearly all > > use-cases. Either the CA infrastructure is the web, and (despite the CA/B > > forum > > rules) it's OK to use web certs in non-web contexts. Or, the CA > > infrastructure is more than the web, and we need to have new,, non-web CAs > > with rules > > outside of the CA/B forum. > > There are tons of CAs outside of the WebPKI/CA/B Forum ecosystem.
Where can I get a certificate for mail.example.com <http://mail.example.com/> that is (a) trusted by end-user systems, and (b) is limited to id-kp-This-Is-A-Mail-Server? What happens now is one of 3 things: 1) use a web cert, and lie to the CA/B forum about what you're using it for. This (allegedly) means that they can revoke it at any point for mis-use 2) use a private CA, and have everyone else on the Internet refuse to talk to you, as your CA is unknown 3) don't use TLS. Alan DeKok.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
