|
|
Subscribe / Log in / New account

HTTPS-only mode (is briefly mentioned and I recommend to LWN readers)

HTTPS-only mode (is briefly mentioned and I recommend to LWN readers)

Posted Jun 13, 2024 22:19 UTC (Thu) by intgr (subscriber, #39733)
In reply to: HTTPS-only mode (is briefly mentioned and I recommend to LWN readers) by Cyberax
Parent article: Firefox 127.0 released

> name constraints fail open. This makes them a non-starter for any realistic applications.

I believe this is not correct. Every extension (such as Name Constraints) in a cert has a boolean flag called "critical".

Non-critical extensions may be ignored by implementations if they are not recognized (fail open). But the presence of unrecognized critical extensions will make the cert immediately invalid (fail closed).

It's up to the parent CA to mark the constraints as critical.

Of course there may be implementations that interpret Name Constraints incorrectly but that's another matter.

to post comments

HTTPS-only mode (is briefly mentioned and I recommend to LWN readers)

Posted Jun 13, 2024 22:41 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I've seen X509 implementations that ignore critical extensions (or even things like SANs).

Proper modern implementation of restrictions would need to include something that poisons certificate validation for incorrect implementations.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds