RE: SRVNames in name constraints

r...@sleevi.com>; Peter Bowen <p...@amzn.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: SRVNames in name constraints On Tue, Aug 15, 2017 at 8:01 AM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > I realize use of

Re: SRVNames in name constraints

On Tue, Aug 15, 2017 at 8:01 AM, Jeremy Rowley wrote: > I realize use of underscore characters was been debated and explained at the > CAB Forum, but I think it's pretty evident (based on the certs issued and > responses to Ballot 202) that not all CAs believe certs

RE: SRVNames in name constraints

Of Peter Bowen via dev-security-policy Sent: Tuesday, August 15, 2017 8:51 AM To: Gervase Markham <g...@mozilla.org> Cc: Ryan Sleevi <r...@sleevi.com>; Peter Bowen <p...@amzn.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: SRVN

Re: SRVNames in name constraints

On Tue, Aug 15, 2017 at 4:20 AM, Gervase Markham via dev-security-policy wrote: > On 06/07/17 16:56, Ryan Sleevi wrote: >> Relevant to this group, id-kp-serverAuth (and perhaps id-kp-clientAuth) > > So what do we do? There are loads of "name-constrained"

Re: SRVNames in name constraints

On 06/07/17 16:56, Ryan Sleevi wrote: > Relevant to this group, id-kp-serverAuth (and perhaps id-kp-clientAuth) So what do we do? There are loads of "name-constrained" certs out there with id-kp-serverAuth but no constraints on SRVName. Does that mean they can issue for any SRVName they like? Is

Re: SRVNames in name constraints

On Thu, Jul 6, 2017 at 10:48 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > What EKU(s) get used with certs containing SRVName? I confess I don't > understand this technology as well as I might. > Relevant to this group, id-kp-serverAuth (and

Re: SRVNames in name constraints

On 05/07/17 15:10, Peter Bowen wrote: > The second bullet says “any”. As the rule for name constraints is that if > they are not present for a type, then any name is allowed, you have to > include name constraints for all four types. The issue comes down to the > definition of “working

Re: SRVNames in name constraints

> On Jul 5, 2017, at 4:23 AM, Gervase Markham via dev-security-policy > wrote: > > On 03/07/17 17:44, Peter Bowen wrote: >> We still need to get the policy changed, even with the ballot. As >> written right now, all name constrained certificates are no

Re: SRVNames in name constraints

On 03/07/17 17:44, Peter Bowen wrote: > We still need to get the policy changed, even with the ballot. As > written right now, all name constrained certificates are no longer > considered constrained. I'm not sure what you mean... What's the issue you are raising here? Gerv

Re: SRVNames in name constraints

On 03/07/17 17:29, Peter Bowen wrote: > "name constraints which do not allow Subject Alternative Names (SANs) > of any of the following types: dNSName, iPAddress, SRVName, > rfc822Name" > > SRVName is not yet allowed by the CA/Browser Forum Baseline > Requirements (BRs), so I highly doubt any CA

Re: SRVNames in name constraints

Sent: Monday, July 3, 2017 10:30 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: SRVNames in name constraints > > In reviewing the Mozilla CA policy, I noticed one bug that is probably my > fault. It says: > > "name constraints which do not allow Subject

RE: SRVNames in name constraints

-security-policy Sent: Monday, July 3, 2017 10:30 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: SRVNames in name constraints In reviewing the Mozilla CA policy, I noticed one bug that is probably my fault. It says: "name constraints which do not allow Subject Alternative Names

SRVNames in name constraints

In reviewing the Mozilla CA policy, I noticed one bug that is probably my fault. It says: "name constraints which do not allow Subject Alternative Names (SANs) of any of the following types: dNSName, iPAddress, SRVName, rfc822Name" SRVName is not yet allowed by the CA/Browser Forum Baseline