←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 3 comments | 18 Oct 24 06:10 UTC | HN request time: 0.413s | source
1. billpg ◴[22 Oct 24 09:25 UTC] No.41912612[source]
Is "name constraints" new? I wanted to do something similar a decade or two ago and found I'd have to be trusted for all domains, which I wanted to avoid.
replies(2): >>41912756 #>>41915972 #
2. michaelt ◴[22 Oct 24 09:55 UTC] No.41912756[source]
It's been around since ~2008 when rfc5280 was released.

But it's long been stuck in a cycle of "CAs won't issue name-constrained certificates because not all clients support it properly" and "Clients don't bother to support it properly because CAs won't issue name-constrained certificates"

And even if today's clients all support it properly - there will always be some users running ancient smart TVs and android phones that haven't received a software update in a decade.

3. toast0 ◴[22 Oct 24 16:29 UTC] No.41915972[source]
A decade ago, name constraints was available, but support wasn't really there. I was looking into making a company CA for internal tools, but I didn't want to be able to MITM employees going to unrelated sites, and I couldn't mandate specific browsers, so we ended up using a commercial CA for everything.

It looks like support is fairly wide now, but you'd probably still need to test and confirm it works with all the tools you want, and there's still some risk to users in case the constraints don't catch everything.