Y
Hacker News
new
|
ask
|
show
|
jobs
by
merb
1911 days ago
3. use cross signing with name constraints to not have this problem
https://tools.ietf.org/html/rfc5280#section-4.2.1.10
2 comments
Sebb767
1911 days ago
4. Find out that name constraints are either not supported or ignore by basically all major libraries.
link
fomine3
1911 days ago
Issuing CA cert with Name Constraints is good, but end user should recognize the certificate is constrained to their domains or not.
link
midasuni
1911 days ago
The end user should be able to choose the domains the root is valid for - regardless of x509 name constraints.
link