1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-23 12:52:10 +00:00
This commit is contained in:
Seirdy 2024-09-25 11:57:26 -04:00
parent 5c4046d867
commit bd5c7aef97
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479

View file

@ -307,7 +307,7 @@ Today, Certificate Authority Authorization (<abbr>CAA</abbr>) DNS records restri
- Restrict issuance to short-lived certificates. - Restrict issuance to short-lived certificates.
- Restrict approved delegates for delegated credentials. - Restrict approved delegates for delegated credentials.
With the first extension, an attacker who triggers a misissuance would compromise it for a few days or hours months. The second extension limits the potential for rogue delegates to serve traffic on behalf of an <abbr>IdO</abbr>. With the first extension, an attacker who triggers a misissuance would compromise it for a few days or hours rather than months. The second extension limits the potential for rogue delegates to serve traffic on behalf of an <abbr>IdO</abbr>.
I want to see the protections offered by Expect-Staple preloading for short-lived certificates. HTTPS Resource Records (<abbr>RRs</abbr>) or client-side preload lists can proactively tell clients to distrust any long-lived certificate for a domain.[^12] I want to see the protections offered by Expect-Staple preloading for short-lived certificates. HTTPS Resource Records (<abbr>RRs</abbr>) or client-side preload lists can proactively tell clients to distrust any long-lived certificate for a domain.[^12]