Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Name constraint on CA certificate #1673

Closed
netheril96 opened this issue Jan 2, 2020 · 2 comments
Closed

Name constraint on CA certificate #1673

netheril96 opened this issue Jan 2, 2020 · 2 comments
Labels
1.2 security_enhancement
Milestone
1.2

Comments

@netheril96
Copy link

Is your feature request related to a problem? Please describe.
Currently, if we keep the PKI, we take the risk that someone steals the CA private key and uses it to sign server certificates our client devices will trust. They would be able to sign any server certificate, including well known ones like google.com, microsoft.com, apple.com, etc.

Describe the solution you'd like
Setting name constraint on CA certificate so that it can only be used to sign our server certificate. Stealing CA private key will then result in no more damage than stealing the server certificate key.

Describe alternatives you've considered
We can choose to discard CA key, but then we cannot add more users.

Additional context
@jackivanov jackivanov added the 1.2 label Jan 3, 2020
@jackivanov jackivanov added this to the 1.2 milestone Jan 3, 2020
@jackivanov
Copy link
Collaborator

Might be related #75

@jackivanov jackivanov mentioned this issue Jan 7, 2020
Merged
4 tasks
@jackivanov
Copy link
Collaborator

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.2 security_enhancement
Projects
None yet
Milestone
1.2
Development

No branches or pull requests
2 participants
@netheril96 @jackivanov