* Kurt Roeckx: > So it's my understanding that they were only supposed to issue > certificates for their own domain(s). Why wasn't this enforced by > using a name constraint?
Sadly, name constraints do not work because they do not constrain the Common Name field. The IETF PKIX WG explicitly rejected an erratum which corrected this oversight. NSS used to be different (before the mozilla::pkix rewrite), but it's not PKIX-compliant. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
