You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upstream issue 26 has an interesting suggestion which could limit the blast radius of a file disclosure of the CA key. I suspect that generally file disclosure is a bit easier for an attacker to accomplish than full local compromise but I don't have anything to back that up.
I'd consider trying implementations of PermittedDNSDomains and PermittedIPRanges and just hooking PermittedDNSDomainsCritical to the presence of values in either.
x509.Certificate has these related fields:
// Name constraintsPermittedDNSDomainsCriticalbool// if true then the name constraints are marked critical.PermittedDNSDomains []stringExcludedDNSDomains []stringPermittedIPRanges []*net.IPNetExcludedIPRanges []*net.IPNetPermittedEmailAddresses []stringExcludedEmailAddresses []stringPermittedURIDomains []stringExcludedURIDomains []string
The text was updated successfully, but these errors were encountered:
Upstream issue 26 has an interesting suggestion which could limit the blast radius of a file disclosure of the CA key. I suspect that generally file disclosure is a bit easier for an attacker to accomplish than full local compromise but I don't have anything to back that up.
I'd consider trying implementations of
PermittedDNSDomainsandPermittedIPRangesand just hookingPermittedDNSDomainsCriticalto the presence of values in either.x509.Certificatehas these related fields:The text was updated successfully, but these errors were encountered: