|
|
|
|
|
|
by entropyie
1251 days ago
|
|
|
Most of my comments mention the fact that the escape hatch should be limited to certain use cases, such as local networks, certain TLDs etc... Tying the validation requirements and CA bundle to the TLD would be a useful strategy and would in fact increase security in most cases. For example imagine the official Chinese government CA can only issue certs for .cn . The TLD could also mandate TLS v1.3 and the latest crypto algorithm. This simultaneously protects the Chinese from Western interference, and Google from Chinese interference. "Encryption only" never-expiring certs could be specifically banned for .com .bank etc... but allowed for .local, .lan, .hobby and plain IP addresses. This increases security across the board without sacrificing autonomy. |
|
|