On 12/04/17 10:47, Gervase Markham wrote: > "If the certificate includes the id-kp-emailProtection extended key > usage, it MUST include the Name Constraints X.509v3 extension with > constraints on rfc822Name, with at least one name in permittedSubtrees."
As worded, this would allow for a set of constraints which looked like: ".com, .net, .edu, .us, .uk, ..." The SSL BRs require: "(a) For each dNSName in permittedSubtrees, the CA MUST confirm that the Applicant has registered the dNSName or has been authorized by the domain registrant to act on the registrant's behalf in line with the verification practices of section 3.2.2.4." That's not possible for e.g. ".com", so the problem is avoided. Do we need to say that each entry in permittedSubtrees must be a Public Suffix? Or do we need to require that each rfc822Name is ownership-validated in a analogous way to the dNSNames in the BRs? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
