Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Post History
Does GnuTLS support CA Name Constraints (RFC 5280, 4.2.1.10), so you can limit the valid domains directly in the root CA? I'm not aware of any CAs that self-limit this way,[1] except for when the ...
Answer
#2: Post edited
by
Michael
·
2024-03-26T18:51:46Z (about 1 month ago)
More research
Does GnuTLS support [CA Name Constraints][name-constraints] (RFC 5280, 4.2.1.10), so you can limit the valid domains directly in the root CA? I have been loosely trying to find evidence that Mozilla and CA/B friends only permit some CAs if they use these restrictions, but I haven't found it yet.This was typically expected to give country-specific CAs the ability to issue certificates for their ccTLD. Supposedly, the US government [was also trying][fpki] to get one for `.gov` and `.mil`, but I don't know if the project was ever accepted by CA/B.- [name-constraints]: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10
[fpki]: https://github.com/uspki/policies
- Does GnuTLS support [CA Name Constraints][name-constraints] (RFC 5280, 4.2.1.10), so you can limit the valid domains directly in the root CA?
- I'm not aware of any CAs that self-limit this way,[^moz] except for when [the US government tried][fpki] (unsuccessfully?) to get one approved by the CA/B forum [for `.gov` and `.mil`][bugzilla-nc]. Name Constraints would give country-specific CAs the ability to issue certificates for their ccTLD, but could exclude them from globally-shared ICANN TLDs or other countries' ccTLDs.
- [^moz]: It is also worth noting that [Mozilla proposed][moz-nc] enforcing name constraints _external_ to the CA certificates, but that led to [fiery discussion][mailing-list] about entrenching current CAs that could issue for `.org`, `.com`, etc. when new ones would have to beg to do so.
- [name-constraints]: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10
- [fpki]: https://github.com/uspki/policies
- [moz-nc]: https://wiki.mozilla.org/CA:NameConstraints
- [bugzilla-nc]: https://bugzilla.mozilla.org/show_bug.cgi?id=478418#c28
- [mailing-list]: https://groups.google.com/g/mozilla.dev.security.policy/c/pF4aVsF21ww/m/yKDhNpEt-2gJ
#1: Initial revision
by
Michael
·
2024-03-05T16:37:52Z (2 months ago)
Does GnuTLS support [CA Name Constraints][name-constraints] (RFC 5280, 4.2.1.10), so you can limit the valid domains directly in the root CA? I have been loosely trying to find evidence that Mozilla and CA/B friends only permit some CAs if they use these restrictions, but I haven't found it yet. This was typically expected to give country-specific CAs the ability to issue certificates for their ccTLD. Supposedly, the US government [was also trying][fpki] to get one for `.gov` and `.mil`, but I don't know if the project was ever accepted by CA/B. [name-constraints]: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 [fpki]: https://github.com/uspki/policies