[SSL Observatory] Name constraints: a reasonable idea that hasn't panned out in practice
=JeffH
Jeff.Hodges at KingsMountain.com
Fri Apr 22 16:06:01 PDT 2011
so, you're saying that there's only two certs found in the EFF TLS/SSL
Observatory dataset that have name constraints enabled ?
"Name Constraints", as specified in X.509 and profiled by PKIX (RFC5280) are
kinda a mess, and aren't necessarily that useful because they just allow a CA
to indicate what portions of (a very ill-defined) namespace(s) its sub-CAs may
issue certs for. there's not just technical reasons that it isn't used very
much, there's also business reasons i suspect ("what, i'm going to run a CA but
what if a customer of mine registers a domain in a subtree I'm not allowed to
issue certs for? they'll just go to a CA that can and will...")
What'd be more useful imv, would be for end-entities to be able to declare what
issuers are authorized to issue certs on an end-entity's behalf. This is an
aspect of the collectively evolving HSTS, DANE (TLSA), HASTLS work.
=JeffH
More information about the Observatory
mailing list