On Fri, 2016-06-03 at 10:24 +0200, Florian Weimer wrote: > On 06/03/2016 09:13 AM, Nikos Mavrogiannopoulos wrote: > > > > If you are of the types who like tinkering, here is a way to > > restrict > > CA certificates in your Fedora on specific domains. Currently > > limited > > to gnutls applications. > > > > http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates > > .html > Is there also a way to do the opposite, that is, list which CAs are > permitted to issue certificates for certain parts of the DNS tree? If your question is whether it is doable, then the answer is yes. One would need to traverse all existing certificates in the trust module and use the name constraints extension. In terms of gnutls API you'd probably like to use call gnutls_x509_crt_import_url() with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag on all the certificate objects in the trust module, and sort their name constraints. There is no tool for that though. However, I'd bet that most CAs in that list have no constraints. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
