I realize use of underscore characters was been debated and explained at the CAB Forum, but I think it's pretty evident (based on the certs issued and responses to Ballot 202) that not all CAs believe certs for SRVNames are prohibited. I realize the rationale against underscores is that 5280 requires a valid host name for DNS and X.509 does not necessarily permit underscores, but it's not explicitly stated. Ballot 202 went a long way towards clarification on when underscores are permitted, but that failed, creating all new confusion on the issue. Any CA not paying careful attention to the discussion and looking at only the results, would probably believe SRVNames are permitted as long as the entry is in SAN:dNSName instead of otherName.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Peter Bowen via dev-security-policy Sent: Tuesday, August 15, 2017 8:51 AM To: Gervase Markham <g...@mozilla.org> Cc: Ryan Sleevi <r...@sleevi.com>; Peter Bowen <p...@amzn.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: SRVNames in name constraints On Tue, Aug 15, 2017 at 4:20 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 06/07/17 16:56, Ryan Sleevi wrote: >> Relevant to this group, id-kp-serverAuth (and perhaps >> id-kp-clientAuth) > > So what do we do? There are loads of "name-constrained" certs out > there with id-kp-serverAuth but no constraints on SRVName. Does that > mean they can issue for any SRVName they like? Is that a problem once > we start allowing it? > > I've filed: > https://github.com/mozilla/pkipolicy/issues/96 > on this issue in general. Right now no CA is allowed to issue for SRVName. Part of the CA/Browser Forum ballot I had drafted a while ago had language that said something like "If a CA certificate contains at least one DNSName entry in NameConstraints and does not have any SRVName entries in NameConstraints, then the CA MUST NOT issue any certificates containing SRVname names." However this is a morass, as it is defining what a CA can do based on something outside the CA's scope. I'm not sure how to deal with this, to be honest. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy