LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Specify which TLDs the root CAs are responsible for!

Specify which TLDs the root CAs are responsible for!

Posted Feb 3, 2010 11:23 UTC (Wed) by cortana (subscriber, #24596)
Parent article: China Internet Network Information Center accepted as a Mozilla root CA

Why don't browsers maintain, for each CA, a list of TLDs that they are allowed to certify?

I doubt many will care if CNNIC is happy to issue bogus certificates in the .cn domain. But I don't
see why they, or any of the other mysterious entities that we all trust without thinking about it,
should be allowed to sign certificates for .com, .co.uk, .fr, .mil, and other domains.

(Log in to post comments)

Specify which TLDs the root CAs are responsible for!

Posted Feb 3, 2010 12:52 UTC (Wed) by paulj (subscriber, #341) [Link]

x.509 has this ability already. Subordinate CAs can be recognised by root CAs,
and the subordinate CAs can then sign certificates named below their name.

It's basically little used. My vague impression is that existing root CAs charge
*lots* of money to sign subordinate CA certs, and also other orgs want the
prestige of being a root CA.

Basically, while technical people love logical, hierarchical systems for
naming/responsibility delegate, politics, social dynamics and normal people
seem to abhor it. So these technical hierarchicalisation abilities tend to go to
waste.

SSL, DNS, etc.. They've all tended from hierarchalisation at inception towards
flat, unmanageable messes as deployment increases. (counter examples
would be really interesting, e.g. postal addresses have gotten flatter too
thanks to post codes).

Specify which TLDs the root CAs are responsible for!

Posted Feb 3, 2010 13:48 UTC (Wed) by gerv (subscriber, #3376) [Link]

It's a good idea. There is such a thing built into the standard, called "name constraints". However, NSS doesn't support them quite right yet.

https://bugzilla.mozilla.org/show_bug.cgi?id=394919

That bug appears to have stalled. In general, NSS is under-resourced, so if someone wanted to step in and help, that would be great.

Gerv

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds