Comments (6)
name constraints are interesting, but are they deployed? out of the NSS trust anchor set I could only discover a single CA certificate which had name constraints. do you have a sample set of certificate chains which contain name constraints (both good and bad chains would be useful)?
from ocaml-x509.
From when I worked at Mozilla, I know that there were CAs that were using name constraints. The HARICA root CA that Mozilla trust actually has name constraints in the root certificate, for example. But, more interestingly, there are CAs that are selling name-constrained intermediate CA certificates to large businesses. See https://www.pki.bayern.de/ for one example.
from ocaml-x509.
Also, as far as testing goes, the mozilla::pkix test suite contains a large number of unit tests for name constraints in pkixnames_tests.cpp.
Note that I see name constraints as a long-term thing. My goal is to help more businesses get name-constrained CA certificates for their domains, so that Facebook will have one for *.facebook.com, Mozilla will have one for *.mozilla.org, etc. This way, they can use key pinning to pin to their intermediate CA's key. This will be safer and less error-prone than the way things currently are. It's a long-term thing, but it requires fairly ubiquitous name constraint support among implementations, which is why I am encouraging implementers to implement them.
I am happy to assist by reviewing code or answering questions.
from ocaml-x509.
I'm a big fan of name constraints myself, but when I looked through the real world [tm], I couldn't find much usage of them. I'd be really happy if there was a TLD where the domain registrar also handed out an intermediate name-constrained certificate -- and thus the trust anchor for that TLD could be pinned to the registrar one, and nobody could fuzz around with other anchors...
but since I failed to see much usage, I didn't bother to implement this properly (yet)...
from ocaml-x509.
I'm a fan of name constraints too, I have a stale branch with some commits here that I hope to revive once my ASN.1 kung-fu grows stronger. Until then, I don't know, perhaps it can serve as inspiration to someone who needs NCs:
https://github.com/cfcs/ocaml-x509/tree/nameconstraints
I think name constraints are useful; perhaps one of the reasons they're not used in "the real world" is that people have problems understanding x509 in general, and this is sort of hidden away in a corner.
I would like to see a world where they are used more, at least we could use it in our own OCaml/Mirage-related infrastructure.
from ocaml-x509.
Netflix thinks it has value, and open sourced a test suite for Name Constraint implementations: http://techblog.netflix.com/2017/04/bettertls-name-constraints-test-suite.html
Code here: https://github.com/netflix/bettertls
from ocaml-x509.
Related Issues (20)
- parsing pem from string HOT 2
- Incompatible with sexplib/ppx_sexp_conv v0.11.0 HOT 6
- API woes HOT 1
- Remove conflict with ppx_sexp_conv >= v0.11.1 HOT 3
- Invalid_argument "X509: failed to parse certificate" when using X509.Encoding.Pem.Certificate.of_pem_cstruct1 HOT 3
- Expose X509.Certificate.compare HOT 2
- Issues with the DN representation HOT 22
- Certificate verification allows dangerous algorithms HOT 8
- Why is Validation.trust_cert_fingerprint deprecated? HOT 3
- improve API (make it harder to use wrong) HOT 2
- feature: ed25519 support HOT 7
- feature: ed448 support HOT 1
- mirage-crypto 0.8.9 breaks regression test HOT 7
- feature: enhance Private_key module HOT 1
- [Public_key.verify]'s ECDSA evaluation mishandles long digests HOT 11
- Add hostnames: csr -> string list for obtaining list of domains of a csr. HOT 2
- Retrieving valid_from/valid_until from a certificate HOT 1
- missing `astring' in META HOT 2
- How to access some parts of a certificate HOT 1
- Cannot install due to dependency problem HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ocaml-x509.