Gervase Markham wrote:
I am interested in investigating with the NSS developers whether it
would be possible to restrict a particular root certificate to signing
end entity certificates only for domains with a particular TLD.
For example, I would like to admit the CA of the Government of Lilliput
to the root store, because it meets most of the criteria. However, they
don't have an audit (or perhaps their audit documents are classified).
This is understandable; the citizens of Lilliput must already trust
their government anyway (or not); an audit would achieve very little to
enhance that confidence.
However, because citizens of the rest of the world should not be
required to trust the government of Lilliput, I would like to make it so
that chains ending at their root are only reported as valid if the
domain name in question ends in .ll (the Lilliputian TLD).
Is this technically feasible? Would this function be best implemented in
NSS or at a higher level?
Yes, this is technically feasible. The CA's certificate can have
a "name constraints" extension that constrains the domain names in
the .ll name space. See RFC 3280, Section 4.2.1.11 Name Constraints.
Wan-Teh
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
