> This is not an issue. The name constraint makes it impossible for a > domain registrant to issue a certificate that validates for a server > name outside that domain. Hence, anything bad I do with my > intermediate certificate could only hurt me as registrant of > mattmccutchen.net.
What about "www.paypal.com[NULL].yourcompany.com"? I assume that would be allowed by the name constraint with respect to fixed software, but still hit some older software that has the NULL certificate bug. I'm also curious what about "www.paypal.com[lots of spaces or underscores or something like that].yourcompany.com"? > -- > Matt -Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
