←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0s | source
Show context
billpg ◴[22 Oct 24 09:25 UTC] No.41912612[source]
Is "name constraints" new? I wanted to do something similar a decade or two ago and found I'd have to be trusted for all domains, which I wanted to avoid.
replies(2): >>41912756 #>>41915972 #
1. toast0 ◴[22 Oct 24 16:29 UTC] No.41915972[source]
A decade ago, name constraints was available, but support wasn't really there. I was looking into making a company CA for internal tools, but I didn't want to be able to MITM employees going to unrelated sites, and I couldn't mandate specific browsers, so we ended up using a commercial CA for everything.

It looks like support is fairly wide now, but you'd probably still need to test and confirm it works with all the tools you want, and there's still some risk to users in case the constraints don't catch everything.