Hacker News new | past | comments | ask | show | jobs | submit login

There is a Name Constraints extension in X.509[1] that does exactly that, but to my knowledge no browser implements it.

[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.10




and that would have to be baked into the CA certificate, not specified when the CA is trusted. I dont want my browser to ask the CA what it's allowed to do, i want to tell it what it's allowed to do


It has to be baked into the CA, so that a browser vendor can check it before inclusion. If the CA specifies domains it is not allowed to sign certificates for, it will not be included.


> but to my knowledge no browser implements it

Firefox does, though I don't know how much they check beyond just the dNSName constraints. Here's the unit test making sure it stays working: https://github.com/mozilla/gecko-dev/blob/b8157dfaafc42deb3b...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: