Le samedi 2 novembre 2013 08:39:53 UTC+1, Kaspar Brand a écrit :
> 11 hours ago, a new certificate was given birth to which I would
> like to share with this list for edification purposes. I think that the
> audience here should be able to fully appreciate what marvellous
> real-world example we are now provided with for testing the PKIX-based
> path validation implementations of the world for RFC 5280 compliance
> ("Applications conforming to this profile MUST be able to process name
> constraints that are imposed on the directoryName name form and SHOULD
> be able to process name constraints that are imposed on the rfc822Name,
> uniformResourceIdentifier, dNSName, and iPAddress name forms").Nice. Even cut/pasting it to parse it is a bargain. Wouldn't it have been easier to have several CA certificates with smaller constraints? With such a large permitted subtree, can it really be considered constrained? Technically, it is, yes. You missed the exclusion of IPv6 addresses. So this CA can certify for any IPv6 address range. I don't think it will be very dangerous within the next year, considering current IPv6 deployment. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
