On 24/03/15 09:35, Florian Weimer wrote: > Sadly, name constraints do not work because they do not constrain the > Common Name field. The IETF PKIX WG explicitly rejected an erratum > which corrected this oversight. > > NSS used to be different (before the mozilla::pkix rewrite), but it's > not PKIX-compliant.
My understanding is that we continue to constrain the CN field using name constraints, even after adopting mozilla::pkix; do you know differently? Anyway, the BRs require that the value in the CN field be repeated in the SAN field. So, at some point in the future, for publicly-trusted certs anyway, we can start ignoring the CN field. >From BRs draft 30b: "If present, this field MUST contain a single Fully-Qualified Domain Name that is one of the values contained in the Certificate's subjectAltName extension (see Section 9.2.1)." The BRs were adopted in 2011 and had an effective date of 1st July 2012. At the time, they permitted 5 year issuance. So on 1st July 2017, we should be able to start ignoring CN if we want. (The fact that this is such a long time away is a good argument for reducing cert lifetimes!) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
