[SSL Observatory] Number of CAs
Adam Langley
agl at google.com
Thu Dec 8 14:34:31 PST 2011
On Thu, Dec 8, 2011 at 5:17 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> This makes sense to me, but sending two separate intermediate certs
> seems to violate the TLS spec:
The TLS spec is mostly guidelines at this point. For this and other
examples, see http://www.imperialviolet.org/2011/02/04/oppractices.html
> So the administrator of example.com is still left with the necessity of
> getting a certificate from exactly one CA.
That is correct. I don't know any way around that at present.
It would be possible to change this in a backward compatible fashion,
although at the cost of seriously bloating the server's handshake.
Such a change, however, would not be significant unless a large number
of sites adopted it. Otherwise revoking a major CA would still be
extremely costly for a browser.
Cheers
AGL
More information about the Observatory
mailing list