← Back to context

Comment by pzb

11 years ago

There is such a thing -- name constraints. It allows exactly what you describe, limiting the valid names for certificates signed by the certificate.

5 comments

pzb

Reply
jameshart  11 years ago

Interesting - that's news to me, and does allow a domain-registry-based hierarchy. I guess there's the old revocation-check problem, though - when someone transfers a domain or it expires, you'd need to be able to revoke the authority cert. Potentially leads to a lot of revocation checks to validate a cert chain correctly...

  • h4xar  11 years ago

    You mention that the revocation-check problem is old, which is certainly true, but I think you allude to the possibility that a domain-registry-based hierarchy will exacerbate that problem in the form of an increase in revocation checks. I'm not sure that would be the case; it should be about the same. What difference does it make if I owned a domain, got a cert from a CA, and stopped owning the domain -- vs -- got that cert from my registrar? If anything this helps the process, because my registrar knows when I stop owning the domain whereas a CA has no clue and relies on the cert's expiration date exclusively.

    • jameshart  11 years ago

      I guess you're right - I was considering the fact that someone once owned a domain was a threat, but it is already.

      But with a delegated chain of certs, the problem does get worse - not least because you'd require individual domains to manage their own certificate revocation.

      But since there's basically no secure way to obtain CRLs or perform OCSP cert validation, it's kind of moot.

jessaustin  11 years ago

I think this is kind of backwards? I.e. a CA that implements name constraints for one of its sub-CAs does limit the certs that sub-CA may sign. However, name constraints do not allow one to say "for this domain, only this sub-CA may sign certs", which is more what I feel we're looking for here?