Hacker News new | past | comments | ask | show | jobs | submit login

You can get a certificate for a fixed list of domains.

If name constraints were implemented more widely, that'd be great. But someone has to write the code, debug it, ship it, etc, and then you have to wait until lots of people have upgraded, etc, and ultimately wildcard certs work well enough.




> If name constraints were implemented more widely, that'd be great. But someone has to write the code, debug it, ship it

Without name constraints I assert the system is inherently broken. You cannot limit trust other than yes/no.

> ultimately wildcard certs work well enough.

Well enough is arguable. The problem is that your attack surface grows with each machine rather than having a private key per machine.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: