On 11/22/2008 12:32 PM, kgb:
Mandatory inclusion of the SAN extension in a certificate is a policy we can apply and monitor in the future.
To my understanding NSS ignores the subject line according to the RFC. DNS name constraints constrain subject alt name extensions, not CN= attributes in subject names. The same applies for email addresses.
(Obviously a compromised system in some form or the other might be able to circumvent an SAN policy as well, but makes it perhaps somewhat harder still. In the meantime I think the above suggested would be sufficient, Frank might look into if NSS should implement non-standard behavior and also check for fields in the subject line.)
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
