Open Bug 1328113 Opened 8 years ago Updated 3 years ago

build feature to impose name constraints on imported (CA) certificates

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
50 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: uzytkownik2, Unassigned)

Details

(Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161223192128 Steps to reproduce: Add an internal CA to root store (i.e. CA which issues certificates for internal sites). Actual results: The CA is valid for all domains thus if it is leaked it will be trusted by default and can be used in targeted attacks. Expected results: There should be ability to restrict the CA to given domain without need to daisy chain it with Name Constraints. Ideally in 'Edit Trust' field or when adding the CA.
Component: Untriaged → Security: PSM
Product: Firefox → Core
This would be a cool feature. I thought someone had already filed a bug on it, but I can't find it. In the meantime, though, you could just have that CA include its own name constraints.
Priority: -- → P5
Summary: Root CA cannot be restricted to single CA → build feature to impose name constraints on imported (CA) certificates
Whiteboard: [psm-backlog]

This would be quite useful for cases where an Universities or other organizations require inclusion of a CA they use for signing their own sites and where users want to constrain the CA to only such uses, but have no ability to modify the CA itself. Similarly, it could be used to constrain national CAs to only work for names under their associated ccTLD. For example, being able to constrain a university CA to only be able to sign for names under "example.edu".

Adding this would likely also require making sure the Name Constraints implementation works well (eg, with good error messages, covering SANs in addition to CNs, etc).

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.