Hello, related to this... I'd like to point out something that is bugging me...
Section 7.1.5 of the BR stipulates... First paragraph: "For a Subordinate CA Certificate to be considered Technically Constrained..." Second paragraph: "If the Subordinate CA Certificate includes the id-kp-serverAuth extended key usage, then the Subordinate CA Certificate MUST include the Name Constraint..." An strict reading of these two paragraphs would drive to the consequence that if the EKU exist, then the name constraint MUST be there too. It's evident that this is intended for a CA to be considered as technically constrained, but I think it can lead to an incompatibility with the Mozilla Policy, that expects all issuing CAs to include the EKU constraint since 1/1/2019 Maybe my comment is irrelevant, but as said, it was unsettling me. Best, Pedro _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
