On Tue, Aug 15, 2017 at 4:20 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 06/07/17 16:56, Ryan Sleevi wrote: >> Relevant to this group, id-kp-serverAuth (and perhaps id-kp-clientAuth) > > So what do we do? There are loads of "name-constrained" certs out there > with id-kp-serverAuth but no constraints on SRVName. Does that mean they > can issue for any SRVName they like? Is that a problem once we start > allowing it? > > I've filed: > https://github.com/mozilla/pkipolicy/issues/96 > on this issue in general.
Right now no CA is allowed to issue for SRVName. Part of the CA/Browser Forum ballot I had drafted a while ago had language that said something like "If a CA certificate contains at least one DNSName entry in NameConstraints and does not have any SRVName entries in NameConstraints, then the CA MUST NOT issue any certificates containing SRVname names." However this is a morass, as it is defining what a CA can do based on something outside the CA's scope. I'm not sure how to deal with this, to be honest. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
