On 5/5/2017 9:49 μμ, Peter Bowen via dev-security-policy wrote:
On Fri, May 5, 2017 at 11:44 AM, Dimitris Zacharopoulos via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
Looking at https://github.com/mozilla/pkipolicy/issues/69
do you have a proposed language that takes all comments into account? From
what I understand, the Subordinate CA Certificate to be considered
Technically Constrained only for S/MIME:
* MUST include an EKU that has the id-kp-emailProtection value AND
* MUST include a nameConstraints extension with
o a permittedSubtrees with
+ rfc822Name entries scoped in the Domain (@example.com) or
Domain Namespace (@example.com, @.example.com) controlled by
an Organization and
+ dirName entries scoped in the Organizational name and location
o an excludedSubtrees with
+ a zero‐length dNSName
+ an iPAddress GeneralName of 8 zero octets (covering the IPv4
address range of 0.0.0.0/0)
+ an iPAddress GeneralName of 32 zero octets (covering the
IPv6 address range of ::0/0)
Why do we need to address dNSName and iPAddress if the only EKU is
id-kp-emailProtection?
Can we simplify this to just requiring at least one rfc822Name entry
in the permittedSubtrees?
I would be fine with this but there may be implementations that ignore
the EKU at the Intermediate CA level. So, if we want to align with both
the CA/B Forum BRs section 7.1.5 and the Mozilla Policy for S/MIME,
perhaps we should keep the excludedSubtrees.
Dimitris.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
