undefined | Better HN

0 pointslmz1y ago0 comments

If this is now finally supported that's great. The issue was that for it to be useful it has to be marked critical / fail-closed, because a CA with ignored name constraint == an unrestricted CA. But if you make it critical, then clients who don't understand it will just fail. You can see how this doesn't help adoption.

0 comments

westurner1y ago

It says "Proposed Standard" on the RFC; maybe that's why it's not widely implemented if that's the case?

https://bettertls.com/ has Name Constraints implementation validation tests, but "Archived Results" doesn't seem to have recent versions of SSL clients listed?

  nameConstraints=critical,

DNS Certification Authority Authorization: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Au... :

> Registrants publish a "CAA" Domain Name System (DNS) resource record which compliant certificate authorities check for before issuing digital certificates.

And hopefully they require DNSSEC signatures and DoH/DoT/DoQ when querying for CAA records.

lmzOP1y ago

Name Constraints has been around at least since 1999 (RFC 2459).

I'm not sure why CAA is brought up here. I guess it is somewhat complementary in "reducing" the power of CAs, but it defends against good CAs misissuing stuff, not limiting the power of arbitrary CAs (as it's checked at issuance time, not at time of use).

tptacek1y ago

CAA does not require DNSSEC or DOH.

j / k navigate · click thread line to collapse