|
|
|
|
|
|
by namibj
2304 days ago
|
|
|
I wish they'd issue short-term scoped CAs under the same criteria as they currently use for wildcards. No significant load on their infrastructure, and you'd not have to break the "private keys don't move over _any_ network" rule. |
|
|
Delegated Credentials is the proposed mechanism to do what you actually want to achieve here. The certificate issuance is mostly the same except there's an OID 1.3.6.1.4.1.44363.44 and the digitalSignature KU is present meaning this certificate is intended to be used with Delegated Credentials and thus can sign things.
Although tightly constrained subCAs (which is roughly what you're describing) might be a way to achieve your goal, it's seen as disproportionately complicated and risky, so hence this proposed much more narrowly defined new feature for TLS.