[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS everywhere!

On Tue, Jun 17, 2014 at 02:34:27PM +0200, Jakub Wilk wrote:
> * Simon McVittie <smcv@debian.org>, 2014-06-17, 13:20:
> >It should be possible to make a CA certificate that is only considered to
> >be valid for the spi-inc.org and debian.org subtrees, and then trust the
> >assertion that SPI control that certificate - but in widely-used
> >applications, that isn't possible.
> 
> In theory, the Name Constraints extension should allow one to achieve what
> you said:
> http://tools.ietf.org/html/rfc5280#section-4.2.1.10
> No idea how well it is supported, though.

This should be supported by all libraries, and is being used.
More and more intermediate CAs are in the process of becomming
constrained.


Kurt
Reply to: