CanSignHTTPExchanges

This is a follow up on this thread: CanSignHttpExchanges extension - #5 by mdmower

Google just has seemed to announced that it will use this feature to prefetch data in Search. It is supported now in Google chrome and its chrome based browsers such as edge and opera. Is let’s encrypt planning to include this feature in the near future?

Announcement and further links in the description: https://youtu.be/r14he4JRGdw

1 Like

I don't think current Boulder architect can support it: CAA get checked before CA ask for CSR, so CanSignHTTPExchanges=true can't checked on CAA(because VA don't know if you want to sign HTTPExchange cert or not)

Mozilla considers CanSignHTTPExchanges to be harmful, I would be against adding this feature for the reasons they have outlined.

https://mozilla.github.io/standards-positions/

Mozilla has concerns about the shift in the web security model required for handling web-packaged information. Specifically, the ability for an origin to act on behalf of another without a client ever contacting the authoritative server is worrisome, as is the removal of a guarantee of confidentiality from the web security model (the host serving the web package has access to plain text). We recognise that the use cases satisfied by web packaging are useful, and would be likely to support an approach that enabled such use cases so long as the foregoing concerns could be addressed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.