Hackers' Pub

@cksChris Siebenmann did you ever have any luck with TLS root certificate authority using name based constraints?

I have read two of your wandering thoughts posts about it and I’m curious if you have any time derived insight.

I have a constrained root (permitted;DNS.1 example.net permitted;IP.1: 192.0.2.0/255.255.255.0) and struggling with what to do about unqualified / short names.

In an unconstrained root, it’s trivial to add the unqualified name to the subjectAltName of the leaf certificate.

But the combination of name based constraints and unqualified names is still bothering me.

Arguable the name based constraint is doing exactly what it should.

I’m hoping to avoid listing a bunch of unqualified host names as additional DNS.# entries in the root CA’s config.

I’m curious what your experience was / is and if you have any recommendations.

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`