G’day Corey,
I can see your point – perhaps the more accurate way explicitly allowed under
5280 would have been to encode the constraint as type uniformResourceIdentifier
rather than the type dNSName that was used.
I don’t recall if we actually tried that in our tests at the time with QV, but
I do know we had some debate about how to best reflect the desired constraints
because there did not seem to be any decent examples that we could find in the
wild as to how others were achieving a country level restriction, and
configuration that was finally settled on existed as an example on one the
groups, and in testing it provided the desired results.
Even though the dNSName example in 5280 does not explicitly prohibit the
leading “.” the example provided would lead most folks to that conclusion, and
that is obviously how the linters are interpreting it.
These two Intermediates were re-signed without the nameConstriant extensions
after we realized most organizations based in the UAE are often using .com or
.org anyway to host their sites, and therefore we couldn’t effectively meet the
needs of local customers. So these two have not been distributed for a couple
of years now anyway.
Regards,
--
Scott Rea
On 2/25/19, 5:57 AM, "dev-security-policy on behalf of Corey Bonnell via
dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf
of dev-security-policy@lists.mozilla.org> wrote:
Hi Scott,
The verbiage from RFC 5280, section 4.2.1.10 that you quoted is in regard
to URI GeneralNames, as the paragraph starts with "For URIs...".
The relevant paragraph in section 4.2.1.10 that specifies the required
syntax of dNSNames in nameConstraints and explains why the two intermediates
are non-compliant is as follows:
"DNS name restrictions are expressed as host.example.com. Any DNS
name that can be constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint. For
example, www.host.example.com would satisfy the constraint but
host1.example.com would not."
As you can see, there is no provision for encoding a leading period in
dNSNames. Several certificate linters detect this particular problem, which you
can see demonstrated in the two links I provided to the two intermediates'
crt.sh entries.
Thanks,
Corey
Scott Rea | Senior Vice President - Trust Services
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
scott....@darkmatter.ae
The information transmitted, including attachments, is intended only for the
person(s) or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and destroy any copies of this information.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
