I am still a little lost by what LE has to do with this. LE is just another CA. Definitionally, Digicert must solve the same problem.
I'm so late to this that but I had to jump in & say that the analog to webpki the original poster wanted is definitely not CT, which does not enforce connection security based on website desires - it's HPKP (in HTTP) or DANE (in DNS). You can argue dane doesn't work which is fine
-
-
I wanted a solution that gets part of the assurance of HKPK without the giant PITA that is HKPK, which Chrome is deprecating anyway. https://www.chromestatus.com/feature/5903385005916160 …
-
Maybe the browsers need to maintain a mapping of common CA name ("digicert") -> roots, and let HPKP specify CA name. (Doesn't solve pinning to leafs though)
-
That seems easily doable (updated every major browser version) with CCADB. (cc
@wthayer )
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.