On 19/05/2017 15:13, Gervase Markham wrote:
On 08/05/17 11:32, Dimitris Zacharopoulos wrote:
On 8/5/2017 1:18 μμ, Gervase Markham wrote:
+ dirName entries scoped in the Organizational name and
location
Help me understand how dirName interacts with id-kp-emailProtection?
When the Subscriber belongs to an Organization that needs to be included
in the subjectDN.
Right, but why do we need name constraints here?
It seems to me that positive constraints on rfc822Name are sufficient
for an intermediate to be a TCSC.
Gerv
Because the O and other dirname attributes may be shown in an e-mail
client (current or future) as a stronger identity than the technical
e-mail address.
Imagine a certificate saying that [email protected] is "CN=Gervase
Markham, O=Mozilla Corporation, ST=California, CN=US", issued by a
SubCA name constrained to "@wosign.cn", but not to any range of DNs.
It would be problematic for such a SubCA to be considered a TCSC
excluded from all usual checks and balances.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
