On Fri, May 5, 2017 at 11:44 AM, Dimitris Zacharopoulos via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > Looking at https://github.com/mozilla/pkipolicy/issues/69 > > do you have a proposed language that takes all comments into account? From > what I understand, the Subordinate CA Certificate to be considered > Technically Constrained only for S/MIME: > > * MUST include an EKU that has the id-kp-emailProtection value AND > * MUST include a nameConstraints extension with > o a permittedSubtrees with > + rfc822Name entries scoped in the Domain (@example.com) or > Domain Namespace (@example.com, @.example.com) controlled by > an Organization and > + dirName entries scoped in the Organizational name and location > o an excludedSubtrees with > + a zeroâlength dNSName > + an iPAddress GeneralName of 8 zero octets (covering the IPv4 > address range of 0.0.0.0/0) > + an iPAddress GeneralName of 32 zero octets (covering the > IPv6 address range of ::0/0)
Why do we need to address dNSName and iPAddress if the only EKU is id-kp-emailProtection? Can we simplify this to just requiring at least one rfc822Name entry in the permittedSubtrees? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy