@BRIAN_____ wait.. Did browsers start supporting name constrained intermediates?
@frgx All browsers will work w/ them if it isn't marked critical. Safari & other MacOSX/iOS-based lthings won't enforce the constraints.
-
-
@BRIAN_____@frgx I thought X509 only supported a single signature, which is presumably from your CA, which won't issue you an intermediate. -
@mcpherrinm@frgx Get multiple CAs to sell you NC'd intermediates. Possible in theory. May be too hard and and too expensive in practice. -
@BRIAN_____@mcpherrinm@frgx CT info suggests NC subs are still rare, suggesting still expensive -
@pzb@BRIAN_____@frgx didn't realize they were available at all. If safari/osx/iOS don't enforce constraints, can't I mitm them with this? -
@mcpherrinm@pzb@frgx Yep. But, also, CAs often can give you your own int. CA cert but keep the key and control the issuance themselves. -
@BRIAN_____@pzb@frgx okay, thanks. This whole thing makes sense to me now!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.