We still need to get the policy changed, even with the ballot. As written right now, all name constrained certificates are no longer considered constrained.
On Mon, Jul 3, 2017 at 9:42 AM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > Isn't this ballot ready to go? If we start the review period now, it'll be > passed by the time the Mozilla policy is updated. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Peter Bowen via dev-security-policy > Sent: Monday, July 3, 2017 10:30 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: SRVNames in name constraints > > In reviewing the Mozilla CA policy, I noticed one bug that is probably my > fault. It says: > > "name constraints which do not allow Subject Alternative Names (SANs) of any > of the following types: dNSName, iPAddress, SRVName, rfc822Name" > > SRVName is not yet allowed by the CA/Browser Forum Baseline Requirements > (BRs), so I highly doubt any CA has issued a cross-certificate containing > constraints on SRVName-type names. Until the Forum allows such issuance, I > think this requirement should be changed to remove SRVName from the list. > If the Forum does allow such in the future, adding this back can be > revisited at such time. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy