On Apr 4, 6:30 pm, Jean-Marc Desperrier wrote: > On 04/04/2010 08:32, Matt McCutchen wrote: > > [...] > > It would be great if a Mozilla-recognized CA would be willing to give > > me, as the registrant of mattmccutchen.net, an intermediate CA > > certificate with a critical name constraint limiting it to > > mattmccutchen.net. > > I don't believe this taking a hammer to crack a nut approach will have > much success.
A name-constrained intermediate certificate could be quite convenient for the large organizations that are presently demanding their users to trust private CAs for the whole Web (see bug 501697). Users with new enough NSS would see the sites just work; other users could trust the intermediate certificate as if it were a root. > Especially since there's also the fact the CA would not be > able to constraint the *usage* you give to your certs. An extended key usage of "TLS Web Server Authentication" on the intermediate CA would constrain all sub-certificates, no? -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
