Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support testing NameConstraints? #286

Open
kcking opened this issue Sep 6, 2016 · 0 comments
Open

Support testing NameConstraints? #286

kcking opened this issue Sep 6, 2016 · 0 comments
Labels
enhancement

Comments

@kcking
Copy link

kcking commented Sep 6, 2016

NameConstraints on a CA cert designate a whitelist/blacklist of CNs and SANs that certificates signed by that CA can contain (they can also be applied to any GeneralName (see RFC5280). Support for NameConstraints is minimal, the only mainstream clients I'm aware of that implement it are NSS (used by Firefox) and the openssl cli (and these implementations don't necessarily work for all types of GeneralName).

NameConstraints allow one to give a CA restricted trust, such as only trusting the DoD Root (that was installed on my Mac by default) with *.gov SANs.

Would trytls be interested in a contribution adding some sort of NameConstraints support to its testbed?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oherrala @kcking