On 03/07/17 17:29, Peter Bowen wrote: > "name constraints which do not allow Subject Alternative Names (SANs) > of any of the following types: dNSName, iPAddress, SRVName, > rfc822Name" > > SRVName is not yet allowed by the CA/Browser Forum Baseline > Requirements (BRs), so I highly doubt any CA has issued a > cross-certificate containing constraints on SRVName-type names. Until > the Forum allows such issuance, I think this requirement should be > changed to remove SRVName from the list. If the Forum does allow such > in the future, adding this back can be revisited at such time.
Clearly, the set of things CAs must abide by is the restrictive union of the BRs and all the browser policies. So this is in the nature of an "unusable permission". So I don't think it's doing any harm. Are there any plans for a ballot to enable this? I thought that perhaps there might be. If so, it seems easiest to just leave it. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
