undefined | Better HN

0 pointsJoshTriplett4y ago0 comments

> The simple solution is a local certificate authority which is added to the users’ browsers. It can deliver certificates automatically or manually.

I wish it was possible to add a certificate authority and restrict its usage to non-Internet servers (e.g. *.company.example).

(This is theoretically possible if the CA bakes that in, though not all TLS stacks support that. It isn't possible via local browser configuration.)

0 comments

2 comments · 1 top-level

tinus_hn4y ago· 1 in thread

If you are the authority yourself, you can just commit to not giving out certificates outside a specific domain.

JoshTriplettOP4y ago

If you're the authority you can restrict the certificate authority to a given set of domains, but that's if you're the authority.

I'd like browsers to give users control over that, to trust a CA in a limited fashion for only a subset of domains without trusting it to MITM the web.

j / k navigate · click thread line to collapse