Constrained Trust Infrastructure for Certificate Authorities
OpenAuthority explores a constrained-trust model for certificate authority verification. Instead of broadly trusted issuance authority, each CA is cryptographically limited to specific domains and continuously re-verified through DNS-based eligibility checks.
Modern Web PKI, Certificate Transparency, and projects like Let's Encrypt significantly improved certificate accessibility and ecosystem visibility. OpenAuthority explores a complementary question: whether issuance authority itself can be more narrowly constrained.
Applying least-privilege and blast-radius reduction principles to certificate authority trust
Every CA includes mandatory name constraints. A CA authorized for example.com is cryptographically limited to issuing for example.com and its subdomains, reducing unnecessary trust scope.
Eligibility is continuously re-verified through DNS-based ownership checks. Probationary CAs are checked every 6 hours and active CAs every 24 hours to ensure trust assertions remain current.
The design focuses on reducing compromise impact rather than assuming perfect prevention. If a CA is compromised, issuance scope remains constrained to domains within its verified eligibility boundaries.
Modern Web PKI has significantly improved over the last decade. OpenAuthority explores whether trust authority itself can be scoped more narrowly.
Traditional Web PKI relies on globally trusted roots with broad issuance authority. OpenAuthority explores whether trust relationships can instead be constrained to narrower operational boundaries.
Rather than attempting to eliminate compromise entirely, the model focuses on limiting the scope and operational impact of a compromised certificate authority.
Certificate Transparency improves visibility into issuance activity. OpenAuthority explores an additional property: continuously verifying whether a CA remains eligible to hold authority for specific domains.
An experimental constrained-trust workflow combining DNS-based eligibility verification with mandatory issuance boundaries.
Generate a root CA certificate that includes Name Constraints—limiting which domains it can sign for. This is mandatory.
Publish a TXT record containing your CA's SHA-512 fingerprint at _openauthority.yourdomain.com.
Your CA enters a probationary period where we verify the DNS record every 6 hours for 7 days.
Once verified, your CA is included in the OpenAuthority trust store for anyone to download.
Run your own CA for your homelab without browser warnings.
Full control over your internal PKI with custom certificate lifetimes. Support internal PKI deployments with organization-controlled trust boundaries.
Build a business offering hosted CA services with verifiable trust.