* Gervase Markham: > On 24/03/15 09:35, Florian Weimer wrote: >> Sadly, name constraints do not work because they do not constrain the >> Common Name field. The IETF PKIX WG explicitly rejected an erratum >> which corrected this oversight. >> >> NSS used to be different (before the mozilla::pkix rewrite), but it's >> not PKIX-compliant. > > My understanding is that we continue to constrain the CN field using > name constraints, even after adopting mozilla::pkix; do you know > differently?
I simply have not investigated, my comment was poorly phrased in this regard. > Anyway, the BRs require that the value in the CN field be repeated in > the SAN field. So, at some point in the future, for publicly-trusted > certs anyway, we can start ignoring the CN field. > >>From BRs draft 30b: > > "If present, this field MUST contain a single Fully-Qualified > Domain Name that is one of the values contained in the > Certificate's subjectAltName extension (see Section 9.2.1)." > > The BRs were adopted in 2011 and had an effective date of 1st July 2012. > At the time, they permitted 5 year issuance. So on 1st July 2017, we > should be able to start ignoring CN if we want. This is an interesting idea. It would be a nice simplification. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
