Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The solution is somewhat simple - have Let's Encrypt (or any root CA) issue intermediary CA limited to your domain. You "only" need devices to trust the root CA and could issue certs at will. The problem is that this use case was/is a threat to CA business model and is not really supported in the current cert infrastructure.


Isn‘t that mostly because the necessary X.509 extension isn‘t widely supported?

Of course, this seems like a chicken and egg problem, but my point is that adoption would take a couple of years in practice.


Yep, as long as relevant specs are not implemented by the majority of things touching trust (including appliances with very long update cycles), this is, sadly, "no bueno".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: