On 05/07/17 15:10, Peter Bowen wrote: > The second bullet says “any”. As the rule for name constraints is that if > they are not present for a type, then any name is allowed, you have to > include name constraints for all four types. The issue comes down to the > definition of “working server” certificates. Mozilla does not use either > rfc822names or SRVName for name validation for server authentication, but you > could have a valid server certificate that has only these names. Is > NSS/Firefox code considered a “technical constraint”? If not, then all > technically constrained CA certificates need to have constraints on SRVName > and rfc822Name type General Names in addition to what they have now.
You are right; this is a bug. Server certs need to have constraints on dNSName and ipAddress (v4 and v6), and email certs need to have constraints on rfc822Name. It is not intended to require that e.g. server certs have rfc822Name constraints in order to be considered technically constrained. What EKU(s) get used with certs containing SRVName? I confess I don't understand this technology as well as I might. Note that I'm going on holiday for 3 weeks; further engagement may have to wait until I return. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
