[jira] [Resolved] (NIFI-3750) tls-toolkit should support x.509 nameConstraints

Fri, 03 Nov 2023 13:47:55 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-3750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Paul Grey resolved NIFI-3750.
-----------------------------
    Resolution: Won't Do

In a recent mailing list discussion [1], a consensus discussion was made to 
deprecate the module "nifi-toolkit-tls".  A set of tickets [2] [3] [4] was 
opened and resolved to carry out this work.

In order to complete this effort, any open tickets in the NIFI project relating 
to defects, enhancements, etc of "nifi-toolkit-tls" should be marked resolved.

[1] https://lists.apache.org/thread/vn1nzobtz4fh7fs461sgg8jj9zygrk0f
[2] NIFI-12169 - Documentation updates to provide alternatives to usage of TLS 
Toolkit
[3] NIFI-12200 - Remove nifi-toolkit-tls module
[4] NIFI-12201 - Deprecation markings for nifi-toolkit-tls module in 
support/nifi-1.x


> tls-toolkit should support x.509 nameConstraints
> ------------------------------------------------
>
>                 Key: NIFI-3750
>                 URL: https://issues.apache.org/jira/browse/NIFI-3750
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Andre F de Miranda
>            Priority: Major
>
> given the growing acceptance of namedConstraints in the browser space, it 
> would be great if tls-toolkit certificates used the extension.
> nameConstraints are an extension to x.509 that allow CA certificates to be 
> constrained on the range the subjects they can "certify". One could for 
> example, restrict certificates by the nifinode00.nifi.lab.example.com" to 
> only issue certificates to "*.nifi.lab.example.com"
> Consequentially the main rationale to use this technique is to allow users to 
> install the tls-toolkit issued CA on browsers, knowing that that trusted CA 
> can only be used to issue certificates to subjects within the 
> "nifi.lab.example.com" namespace.
> Once this is implemented, we could then consider both NiFi nodes and MiNiFi 
> agents against a beefed version of tls-toolkit (via shared secret + 
> approval), greatly reducing dependency on external certificates, without 
> compromising the gains the toolkit offers to the customer base.
> https://tools.ietf.org/html/rfc5280#section-4.2.1.10



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to