undefined | Better HN

0 pointsamluto1y ago0 comments

I can imagine an organization wanting to run a CA for all kinds of reasons, and wanting to ignore some CA/B forum rules for all kinds of reasons. And, if that organization owns name.com and wants its employees to use ordinary web browsers (on corporate devices) to access resources protected by those certificates, then it seems entirely reasonable to have a *.name.com name constraint. The only problem is that browsers don’t support this.

0 comments

tardy_one1y ago

If they understand that they are bound to respect this, why don't they add the name constraints to their CA certificate?

The problem as I see it is that whatever method used is optional and insufficient to protect users until the browser highlights the source is not real public trust. Google knows this and started with the claim they prioritize user security while ending with the work around to prioritizing user security. (And without the slightest warning that sending your users to a bunch of financial institutions using improper trust chains is ethically dubious and requires more consideration than the time it takes to click the settings.)

amlutoOP1y ago

Name constraints have not been supported by browsers for very long. And they can’t solve this problem for private CA certificates that already exist. (Hmm, I wonder if issuing a new CA certificate with name constraints using an existing private key could be made to work.)

j / k navigate · click thread line to collapse

0 pointsamluto1y ago0 comments

0 comments

tardy_one1y ago

If they understand that they are bound to respect this, why don't they add the name constraints to their CA certificate?

amlutoOP1y ago

j / k navigate · click thread line to collapse