Florian Weimer <[email protected]> wrote: > Gervase Markham wrote: >> On 24/03/15 09:35, Florian Weimer wrote: >>> Sadly, name constraints do not work because they do not constrain the >>> Common Name field. The IETF PKIX WG explicitly rejected an erratum >>> which corrected this oversight. >>> >>> NSS used to be different (before the mozilla::pkix rewrite), but it's >>> not PKIX-compliant. >> >> My understanding is that we continue to constrain the CN field using >> name constraints, even after adopting mozilla::pkix; do you know >> differently? > > I simply have not investigated, my comment was poorly phrased in this > regard.
mozilla::pkix does enforce name constraints on domain names in the CN attribute of the subject field. https://mxr.mozilla.org/mozilla-central/source/security/pkix/test/gtest/pkixnames_tests.cpp#2186 Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
