@alexstamos The 'ideal' world is that FB could obtain a name-constrained subCA for http://facebook.com and then do whatever it wants
-
-
Replying to @sleevi_
@sleevi_@alexstamos disagree. we don't need more CAs, even sub. I can't get one why should a multi million USD corp get one? dafaq.1 reply 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@sleevi_@alexstamos Everybody should be able to get one. They are "just" better wildcard certs.2 replies 0 retweets 1 like -
Replying to @BRIAN_____
@BRIAN_____@a_z_e_t Actually we should force one set of rules for ALL CAs. Some BR all agree on & are forced to comply with. No exceptions.1 reply 0 retweets 0 likes -
Replying to @TheSecurityFail
@BRIAN_____@a_z_e_t If a private person can comply w/ all those requirements, why not allow that CA? Make it hard enough & you'll be fine.1 reply 0 retweets 0 likes -
Replying to @TheSecurityFail
@BRIAN_____@a_z_e_t Which doesn't mean the current CAB/F BR are easy to comply with, but they must be enforced. No TBTF exemptions!1 reply 0 retweets 0 likes -
Replying to @TheSecurityFail
@TheSecurityFail@BRIAN_____ yea but that's CA vs. sub-CA.1 reply 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@BRIAN_____ A Sub-CA is like a normal CA where somebody indicated he believes your lies. With a normal CA you lie to yourself.1 reply 0 retweets 0 likes -
Replying to @TheSecurityFail
@TheSecurityFail@BRIAN_____ well they said 'name restricted'.2 replies 0 retweets 0 likes -
Replying to @a_z_e_t
@a_z_e_t@BRIAN_____ Name restrictions usually don't work. Or is there any widely deployed tool doing it right?2 replies 0 retweets 0 likes
@TheSecurityFail @a_z_e_t RFC 5280 Name constraints *do* work in every major browser except maybe Safari. (May be fixed in latest OS X.)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.