In reviewing the Mozilla CA policy, I noticed one bug that is probably my fault. It says:
"name constraints which do not allow Subject Alternative Names (SANs) of any of the following types: dNSName, iPAddress, SRVName, rfc822Name" SRVName is not yet allowed by the CA/Browser Forum Baseline Requirements (BRs), so I highly doubt any CA has issued a cross-certificate containing constraints on SRVName-type names. Until the Forum allows such issuance, I think this requirement should be changed to remove SRVName from the list. If the Forum does allow such in the future, adding this back can be revisited at such time. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy