(github.com)

246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0.001s | source

Show context

nh2 ◴[18 Oct 24 06:10 UTC] No.41876742[source]▶

I did some research, write-up and scripting about the state of X.509 Name Constraints, so that people you give your CA cert to don't need to trust you not to MitM them on other domains.

Packaged into a convenient one-liner to create a wildcard cert under for the new .internal TLD.

Please scrutinize!

I use this to provide e.g. at home:

    https://octoprint.myhome.internal
    https://paperless.myhome.internal

to provide transport encryption of these services in the local WiFi.

Friends and family can add the CA root to their devices without having to worry about me MitM'ing their other connections.

replies(2): >>41912265 #>>41912340 #

vbezhenar ◴[22 Oct 24 08:35 UTC] No.41912340[source]▶

>>41876742 #

Is it possible to constrain existing CA?

For example my government uses non-standard CA and some websites rely on it. But importing CA obviously makes them able to issue google.com and MITM me if they want to. And they already tried, so trust is broken.

I imagine something like generating separate name-constrained certificate, sign existing CA with this name-constrained certificate (I think it's called cross-sign or something like that) and import things into OS, expecting that browser will use name-constraints of the "Root-Root" certificate. Could it work?

replies(3): >>41912417 #>>41914954 #>>41915094 #

1. ◴[22 Oct 24 08:52 UTC] No.41912417[source]▶

>>41912340 #

↑

Just want simple TLS for your .internal network?