* Kurt Roeckx: > I understand that the name constraint applies to the > SubjectAltName. Under the Baseline Requirements the SAN must be > present. If there is a CommonName it should match one of the SANs.
If the CAs abided by the baseline requirements, we wouldn't have to consider name constraints. :-( > We know that not everybody does add the SANs. But I think that if > there is a name constraint and there is no SAN we should just either > reject the certificate for being invalid or for not matching. This has to be integrated with certificate path processing somehow. Maybe it is feasible to ignore the Subject DN if there is a name constraint anywhere on the path? That would be fairly straightforward to implement with other PKIX validators (which generally lack the NSS hack for Common Name verification). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
