Re: Restricting SSL cert issuance within specified domain
On 6/1/10 2:05 PM, Nelson B Bolyard wrote: On 2010/06/01 11:38 PDT, Kathleen Wilson wrote: Is there support in NSS to restrict an intermediate CA to only be able to issue SSL certificates within a specified domain? Yes, the issuer of the intermediate CA cert can constrain the names that may appear in certificates issued by that subordinate intermediate CA. If yes, does this support apply to both SANs and CNs? In current releases, it does not apply to CNs, because the standard does not define that constraint as applying to CNs. However, in the next forthcoming release, it will apply to CNs. Whether it's standard or not, the constraint is pretty useless if it does not apply to CNs, so we've changed it. There seems to be agreement among a subset of browser vendors that this is the right thing to do. That's great news! Is there a corresponding bug number or other way I can track the progress to see which version of NSS it gets into? It would be reasonable, IMO, for Mozilla policy to require CAs to constrain the subordinate intermediate CA certificates that they issue. Yes, we are considering this for the third-party private (or enterprise) subordinate CAs. Thanks! Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: Restricting SSL cert issuance within specified domain
That's great news! Is there a corresponding bug number or other way I can track the progress to see which version of NSS it gets into? https://bugzilla.mozilla.org/show_bug.cgi?id=394919 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Restricting SSL cert issuance within specified domain
On 6/2/10 11:13 AM, Ryan Sleevi wrote: That's great news! Is there a corresponding bug number or other way I can track the progress to see which version of NSS it gets into? https://bugzilla.mozilla.org/show_bug.cgi?id=394919 Excellent! Thanks! Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Restricting SSL cert issuance within specified domain
On 2010/06/01 11:38 PDT, Kathleen Wilson wrote: Is there support in NSS to restrict an intermediate CA to only be able to issue SSL certificates within a specified domain? Yes, the issuer of the intermediate CA cert can constrain the names that may appear in certificates issued by that subordinate intermediate CA. If yes, does this support apply to both SANs and CNs? In current releases, it does not apply to CNs, because the standard does not define that constraint as applying to CNs. However, in the next forthcoming release, it will apply to CNs. Whether it's standard or not, the constraint is pretty useless if it does not apply to CNs, so we've changed it. There seems to be agreement among a subset of browser vendors that this is the right thing to do. Can you point me to documentation on how to use this? http://www.rfc-editor.org/rfc/rfc5280.txt Section 4.2.1.10. Name Constraints The reason that I’m asking is because there has been recent discussions in m.d.s.policy about subordinate CAs that chain up to root certificates that are included in NSS. The discussions have prompted a significant update to the following wiki page: https://wiki.mozilla.org/CA:SubordinateCA_checklist My questions above are in regards to the “Third-party private (or enterprise) subordinate CAs” defined in this wiki page. It would be reasonable, IMO, for Mozilla policy to require CAs to constrain the subordinate intermediate CA certificates that they issue. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto