On Fri, May 5, 2017 at 11:58 AM, Dimitris Zacharopoulos via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > On 5/5/2017 9:49 μμ, Peter Bowen via dev-security-policy wrote: >> >> On Fri, May 5, 2017 at 11:44 AM, Dimitris Zacharopoulos via >> dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: >>> >>> Looking at https://github.com/mozilla/pkipolicy/issues/69 >>> >>> do you have a proposed language that takes all comments into account? >>> From >>> what I understand, the Subordinate CA Certificate to be considered >>> Technically Constrained only for S/MIME: >>> >>> * MUST include an EKU that has the id-kp-emailProtection value AND >>> * MUST include a nameConstraints extension with >>> o a permittedSubtrees with >>> + rfc822Name entries scoped in the Domain (@example.com) or >>> Domain Namespace (@example.com, @.example.com) controlled by >>> an Organization and >>> + dirName entries scoped in the Organizational name and >>> location >>> o an excludedSubtrees with >>> + a zero‐length dNSName >>> + an iPAddress GeneralName of 8 zero octets (covering the IPv4 >>> address range of 0.0.0.0/0) >>> + an iPAddress GeneralName of 32 zero octets (covering the >>> IPv6 address range of ::0/0) >> >> Why do we need to address dNSName and iPAddress if the only EKU is >> id-kp-emailProtection? >> >> Can we simplify this to just requiring at least one rfc822Name entry >> in the permittedSubtrees? > > > I would be fine with this but there may be implementations that ignore the > EKU at the Intermediate CA level.
I've only ever heard of people saying that adding EKU at the intermediate level breaks things, not that things ignore it. > So, if we want to align with both the CA/B > Forum BRs section 7.1.5 and the Mozilla Policy for S/MIME, perhaps we should > keep the excludedSubtrees. The BRs cover serverAuth. If you look at https://imagebin.ca/v/3LRcaKW9t2Qt, you will see that TCSC will end up being two independent tests. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy