alt Hacker NewsGlad to see DNS validation from multiple perspectives, that's a scary attack vector.
I wonder if we can ever hope for CA/B to permit name constrained, short lifespan, automatically issued intermediate CAs, authenticated with something like a DNS-01 challenge. I've advocated for this before [1][2], but here's my pitch again:
I want to issue certificates from my own ICA for my homelab and office, to avoid ratelimits and hide hostnames for private services. I submit that issuing a 90-day ICA certificate with a name constraint that only allows it to issue certificates for the specific domain is no more dangerous than issuing a wildcard certificate, and offers enough utility that it should be considered seriously.
Objection 1: "Just use a wildcard cert." Wildcard certs are not sufficient here because they don't support nested wildcards, and — more importantly — they don't allow you to isolate hosts since any host can serve all subdomains. I'd rather not give some rando vibecoded nodejs app the same certificate that I use to handle auth.
Objection 2: "Just install a self-signed CA on all your devices." Installing and managing self-signed CAs on every device is tedious, error prone, and arguably more dangerous than issuing a 90-day name-constrained ICA.
Objection 3: "Aren't name constraints not supported by all clients?" On the contrary, they've had wide support for almost a decade, and for those just set the critical bit.
I understand this is not a "just ship it lmao" kind of change, but if we want this by 2030 planning for it needs to start happening now.
Replies
I can’t see freely available intermediates ever happening. The first three reasons I can think of are here, but there’s more I’m sure.
1. No way to enforce what the issued end-entity certificates look like, beyond name constraints. X509 is an overly-flexible format and a lot of the ecosystem depends on a subset of them being used, which is enforced by policy on CAs.
2. Hiding private domains wouldn’t be any different than today. CT requirements are enforced by the clients, and presumably still would be. Some CAs support issuing certs without CT now, but browsers won’t accept them.
3. Allowing effectively unlimited issuance would likely overwhelm CT, and the whole ecosystem collapses.
>Wildcard certs are not sufficient here because they don't support nested wildcards
How many levels of dots do you need?
>I'd rather not give some rando vibecoded nodejs app the same certificate that I use to handle auth.
Use a reverse proxy to handle TLS instead?
I feel like that BGP attacks (and outright mistakes) haven't gone away, so I wonder how useful MPIC is these days. Also, hosting companies have been known to MITM their customers connections in order to get valid fake certs.
https://isbgpsafeyet.com/ https://notes.valdikss.org.ru/jabber.ru-mitm/