Eddy Nigg wrote, On 2008-11-22 04:10: > On 11/22/2008 12:32 PM, kgb: >> Mandatory inclusion of the SAN extension in a certificate is a policy >> we can apply and monitor in the future. > > To my understanding NSS ignores the subject line according to the RFC.
I think you mean subject NAME, not subject line. > DNS name constraints constrain subject alt name extensions, not CN= > attributes in subject names. That's right. NSS applies name constraints to DNS names found in subject alternative names extensions but does not apply them to DNS names found within the Common Name attributes in cert subject names, per the RFC. There are several reasons for that. One is that the RFC only defines DNS name constraints as applying to DNS names in subject Alt Names. But the greater reason is that Common Names may legitimately carry values that are not DNS names. Indeed, they were never intended to carry DNS names at all, but rather were intended to carry the names of persons. You wouldn't want to reject a cert on the grounds that it failed the DNS name constraint if the CN contained "Eddy Nigg" and the DNS constraint said "startcom.org". > The same applies for email addresses. The story for email addresses isn't quite as simple as for DNS names. There are numerous different subject name attributes that can carry email addresses. There are two of those types of attributes to which NSS does apply email name constraints. They are the attributes commonly displayed with E= and MAIL=. But other attributes are not constrained by email address constraints. In practice this means that email addresses in subject names are more likely to be constrained than are DNS names in subject names. This is not an issue for certs that are issued in conformance with the RFC, putting the DNS names and email addresses into the Subject Names. But certs that put those names SOLELY in the subject name and not in the subject Alt Name may not be adequately constrained. Sadly, there are Many CAs that still put those names ONLY in the subject name, and not in the subject alt name where they belong. > Frank might look into if NSS should implement non-standard > behavior and also check for fields in the subject line.) There's no foolproof test for determining if a string is a DNS name or some other kind of name. Various heuristics can be devised, but they all have problems. Consider an algorithm that will find the right answer for all of these strings: "Eddy Nigg" "www.startcom.org" "Eddy" "www" "e.nigg" _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
