On Pá, 2016-06-03 at 13:54 +0200, Florian Weimer wrote: > On 06/03/2016 01:52 PM, Nikos Mavrogiannopoulos wrote: > > > > On Fri, 2016-06-03 at 10:24 +0200, Florian Weimer wrote: > > > > > > On 06/03/2016 09:13 AM, Nikos Mavrogiannopoulos wrote: > > > > > > > > > > > > If you are of the types who like tinkering, here is a way to > > > > restrict > > > > CA certificates in your Fedora on specific domains. Currently > > > > limited > > > > to gnutls applications. > > > > > > > > http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certific > > > > ates > > > > .html > > > Is there also a way to do the opposite, that is, list which CAs > > > are > > > permitted to issue certificates for certain parts of the DNS > > > tree? > > If your question is whether it is doable, then the answer is yes. > > One > > would need to traverse all existing certificates in the trust > > module > > and use the name constraints extension. In terms of gnutls API > > you'd > > probably like to use call gnutls_x509_crt_import_url() with > > the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag on all the > > certificate objects in the trust module, and sort their name > > constraints. There is no tool for that though. > Sorry, I didn't realize that my question was worded ambiguously. > > Let me rephrase it: Is it possible to express that only the Red Hat > internal CA may issue certificates under *.corp.redhat.com, and no > other > CAs may issue certificates for this subtree? Not in the terms of stapled extensions - as the extensions would have to be stapled onto some concrete certificates. You would have to basically create stapled extensions for every CA in your trusted list except for the Red Hat internal CA. And if any additional CA is added to the trusted list, it would have to get this stapled extension too. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
