On Wed, Sep 18, 2013 at 5:50 PM, Viktor Dukhovni <cryptogra...@dukhovni.org>wrote:
> On Wed, Sep 18, 2013 at 08:47:17PM +0000, Viktor Dukhovni wrote: > > > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: > > > > > > This is only realistic with DANE TLSA (certificate usage 2 or 3), > > > > and thus will start to be realistic for SMTP next year (provided > > > > DNSSEC gets off the ground) with the release of Postfix 2.11, and > > > > with luck also a DANE-capable Exim release. > > > > > > What's wrong with name-constrained intermediates? > > > > X.509 name constraints (critical extensions in general) typically > > don't work. > > And public CAs don't generally sell intermediate CAs with name > constraints. Rather undercuts their business model. > > This is no longer the case. Best Practice is now considered to be to use name constraints but not mark them critical. This is explicitly a violation of PKIX which insists that a name constraint extension be marked critical. Which makes it impossible to use name constraints as they will break in Safari and a few other browsers. The refusal to make the obvious change is either because people do not understand the meaning of the critical bit or the result of some of that $250 million being felt in the PKIX group. As I pointed out at RSA, the use of name constraints might well have prevented the FLAME attack working. -- Website: http://hallambaker.com/
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
