undefined | Better HN

0 pointsagwa2y ago0 comments

> Browsers should get their shit together and add proper support of domain-limited CAs

They do in fact support this - e.g. Mozilla trusts KamuSM only for .tr [1], Chrome limited ANSSI to French TLDs [2].

However, there is no indication that the EU would be willing to accept such constraints on their national CAs. If you look at several of the current national European CAs, they routinely issue for generic TLDs like .com.

[1] https://groups.google.com/a/mozilla.org/g/dev-security-polic...

[2] https://security.googleblog.com/2013/12/further-improving-di...

0 comments

lambdaone2y ago

Cool. Domain-limited CAs are a really good idea, and they don't need anything like dynamic downloading of CAA records.

smarnach2y ago

CAA records only apply at the time a certificate is issued, and they only need to be considered by CAs. If the CAA record is changed later, all certificates that have already been issued continue to be valid, even if the new CAA record does not allow the issuing CA anymore. So looking at CAA records would be useless for browsers anyway.

j / k navigate · click thread line to collapse