Sign me as an Intermediate CA for my Domain with Name Constraint?

I'm by no means an expert on the Baseline Requirements, so I'm not certain whether the existing language would allow this use-case without being in scope for audits and such. I imagine the reasoning for not doing it would be the lack of platform support - this limitation makes it mostly a "Hey, this would be cool" thing, as opposed to something that would actually be useful in practice. Not something you'd expect a body mostly made up of commercial CAs to be particularly interested in (and vote for).

I believe CT servers are happy to take any certificate that chains up to a root the CT server accepts, so the intermediate should not be the problem here. A bigger problem would be that CT submissions would be up to you in this scenario, so there's no (technical) way for a CA to say "all my leaf certificates will be logged" once they issue intermediates to subscribers.

Must-Staple is only supported by one browser, and the Chrome team has stated that they currently have no plans to adopt it (IIRC). Just like name constraints, this is going to take years to get adopted by a sufficiently large percentage of the internet, and only then would a body such as the CA/B Forum begin to even consider this a viable solution for misuse.

Not saying that I wouldn't like this possibility in general, but this is an area where I'd definitely want CAs and browser vendors to move carefully and conservatively and weigh the risks to the Web PKI as a whole against the benefits of such a proposal.

1 Like