[Requirements] a device CA that could issue specific domain only

[tomoyukilabs]

Regarding a device CA, one of the things we need to clarify is whether such a domain in certificates issued by such a CA could be restricted to one domain or its subdomain or not. in other words, if such a restriction would be impossible, the CA would have to be a public CA.

If you have an interest and/or knowledge about this issue, any information or proposal, e.g. standards about domain-restricted CA if any, would be welcome.

[tomoyukilabs]

A couple of additional topics:

• X.509 has name constraints extension.
• CA/Browser Forum defines Technically Constrained Subordinate CA in Baseline Requirements for theIssuance and Management of Publicly-Trusted Certificates. Technically Constrained Subordinate CA has a limited domain scope defined by name constraints.

[tadahik]

I am going to write some description about name-constraint and technically constrained, and also some use use case.

[tomoyukilabs]

@tadahik Okay, contribution in a different aspect is highly welcome!