Confirm, administrator
5,526
edits
Changes
m
→Constrain Issuing Sub-CAs to Authorized Domains (DRAFT)
Consider constraining your Intermediate Issuing Certificates to the first and second-level domains that they are authorized to issue certificates for, such as .edu, .gov, and the country-level TLD. Some CAs only need to issue certificates within certain TLDs, such as government run/sponsored CAs, and CAs for national research and education networks. The CA’s user base is large enough that typical Mozilla users in their region would benefit from having their root certificate included in NSS, but the CA only needs to issue certificates within certain first and second-level domains.
The CA’s CP/CPS documentation should indicate the first and second-level domains that the Issuing Subordinate Certificates are constrained to, and cite how the constraints are enforced. For example, indicate the technical controls that are in place, such as the use of Name Constraints as specified in RFC 5280 and marked as critical.
Notes:
