"If we go forward into a different world where restricted sub-CA certificates are affordable, then we might actually see a security improvement overall," Ristic said. However, there are some issues with the name constraints feature, because not all modern browsers support name constraints the way they should, he said.
Apple Safari and iOS devices do not respect name constraints, meaning that even if restricted in this manner, sub-CA certificates could still in theory be used to launch man-in-the-middle SSL attacks against Safari and iOS users, Ristic said. In practice, this won't be very useful for mounting large scale attacks, but could be used in targeted attacks against users of that software, he said.
The problem stems from the fact that not all clients -- browsers and other software that supports SSL -- understand name constraints.
Certificate extensions can be set as critical or non-critical, Ristic said. RFC 5280, which defines the "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" specifies that if the name constraints extension is used, it must be marked as critical. At the same time, conforming clients must reject a certificate if it has an extension marked as critical that they don't understand.
In practice, this means that CAs can't issue sub-CA certificates with name constraints extensions marked as critical, as required by the specification, because some clients will reject the certificates. As a result, version 1.1 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" guidelines released by the Certification Authority/Browser (CAB) Forum allows CAs to issue sub-CA certificates with name constraints set as non-critical.
"Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide," the Baseline Requirements (BRs) say.
The Mozilla Security Team said that version 2.1 of Mozilla's CA Certificate Policy requires CAs to update their operations and SSL certificate issuance to comply with version 1.1 of the CAB Forum's BRs. However, it's not immediately clear if Mozilla's new policy will allow name constraints extensions to be marked as non-critical or not, Ristic said.
Sign up for Computerworld eNewsletters.