On August 30, 2017 at 4:53:54 AM, Ben Wilson via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote:
This CA is technically constrained: DN: C=CH, L=Zurich, O=ABB, CN=ABB Issuing CA 6 Hi Ben, ABB Intermediate CA 3 (https://crt.sh/?id=7739892), which issued ABB Issuing CA 6, does have a name constraints extension. Unfortunately that NC extension does not comply with BR 7.1.5 because it fails to encode an IPv6 exclusion: The Subordinate CA Certificate MUST also include within excludedSubtrees an iPAddress GeneralName of 32 zero octets (covering the IPv6 address range of ::0/0) This is an interesting edge case since the CA is partially, but not fully constrained. -Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy