* Kurt Roeckx: >> RFC 5280 is pretty clear that implementations must support end-entity >> certificates without the subjectAltName extension under under a CA >> which has name constraints. > > But the CA/B baseline requirements does require a SAN, so there is > no reason for us not to require it.
RFC 5280 is clearly buggy as far as HTTPS is concerned, so the NSS behavior is fine. It's just that this behavior is pretty much specific to NSS, but the Mozilla-approved root certificates are used in a wider context. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy