Comment by mcpherrinm
Comment by mcpherrinm a day ago
I can’t see freely available intermediates ever happening. The first three reasons I can think of are here, but there’s more I’m sure.
1. No way to enforce what the issued end-entity certificates look like, beyond name constraints. X509 is an overly-flexible format and a lot of the ecosystem depends on a subset of them being used, which is enforced by policy on CAs.
2. Hiding private domains wouldn’t be any different than today. CT requirements are enforced by the clients, and presumably still would be. Some CAs support issuing certs without CT now, but browsers won’t accept them.
3. Allowing effectively unlimited issuance would likely overwhelm CT, and the whole ecosystem collapses.
That's a fair point, though CT is only strictly enforced by Chromium-based browsers at the moment. There would need to be some resolution to this issue, but the CT problem doesn't seem to be insurmountable in a 5 year timeframe if the relevant parties are motivated to solve it.