undefined | Better HN

0 pointstsimionescu1y ago0 comments

It is given the design of the PKI and DNS. There's no relation between CA and the TLDs on the certificate being signed.

0 comments

This is true, but it’s an old design that has been (in my opinion at least) obviously wrong since the very beginning of HTTPS. Microsoft could easily fix it, at least for clients that can manage to use an updated API.

tsimionescuOP1y ago

Microsoft has nowhere near the power to change the PKI and/or DNS. And it's not an API problem, it's a problem of where companies go to get their legitimate certs. If there are a lot of companies getting their certs for international TLDs from country CAs, or country TLDs from international CAs, then you have to wait for huge systemic changes before enforcing any kind of TLD-CA relationship.

account421y ago

Microsoft has absolute power about the restrictions they support in their root store.

1 more reply

j / k navigate · click thread line to collapse

0 comments

amluto1y ago

tsimionescuOP1y ago

account421y ago

Microsoft has absolute power about the restrictions they support in their root store.

1 more reply

j / k navigate · click thread line to collapse