[cabfpub] Misissuance of certificates
Ryan Sleevi
sleevi at google.com
Mon Dec 7 16:49:01 MST 2015
On Mon, Dec 7, 2015 at 3:38 PM, Rick Andrews <Rick_Andrews at symantec.com>
wrote:
> Sigbjørn,
>
> While we agree with this proposal, it wouldn't address our key use case.
>
> We've talked to very large customers about technically-constrained
> intermediates, and this is consistently not doable because their list of
> owned domains changes so frequently. After further consideration, issuing
> internal-only or non-browser certs from a private root is the most
> straightforward and comprehensive approach.
>
Rick,
When you say "private root", you mean a root that is exempted from the
Baseline Requirements (presumably, because it is not a publicly trusted
root), correct?
If that's a correct understanding, would it be fair to interpret your
response as meaning that you withdraw your concerns, because they would not
affect you? Or are there still concerns you feel with this proposal that,
even under the scenario you described, would require modification to the
proposed language?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151207/1b9275a1/attachment.html
More information about the Public
mailing list