HN2new | past | comments | ask | show | jobs | submitlogin

Unlikely and would cause problems. Parent was suggesting that they should be cleared separately without having to update browsers. I like the certificate transparency idea better though, and I wonder if it is possible to refuse new certs via public endpoints but allow certs to be manually added to the logs and SCTs to be manually issued, in case going that far is needed.


What problems, precisely? Sure, it would prevent current CAs from selling sub-CA certificates without coordinating with browser vendors. That's the point. What's a legitimate use case for doing so?


Yes, but the point is that this "coordinating" can be done without users having to update browsers themselves.


All the major browsers have automatic updates these days. And if the coordination doesn't include a browser whitelist, it has no teeth.


I just edited my comment to mention the certificate transparency solution.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: