[Cryptography] Verisimilitrust
John Denker
jsd at av8n.com
Fri Jan 8 13:57:51 EST 2016
On 01/08/2016 02:09 AM, Peter Gutmann wrote:
> Kazakhstan requesting that their MITM certificate be added to the browser
> trust lists:
>
> It would appear from this information, that this CA (and probably others
> like it) is deliberately serving a dual role:
1) Isn't this exactly the sort of problem that NameConstraints were
supposed to alleviate, at least 15+ years ago?
https://www.rfc-editor.org/rfc/rfc2459.txt
2) If not, can somebody explain why not?
Some people on this list are quite contemptuous of NameConstraints,
but I've never understood the argument. The usual argument seems
to be: "We refuse to implement them because they are useless because
we refuse to implement them."
To say the same thing the other way: It seems like a suitably-constrained
.kz CA would give people an incentive to start respecting the constraints.
It not, why not?
More information about the cryptography
mailing list