Le samedi 2 novembre 2013 08:39:53 UTC+1, Kaspar Brand a écrit : > 11 hours ago, a new certificate was given birth to which I would > like to share with this list for edification purposes. I think that the > audience here should be able to fully appreciate what marvellous > real-world example we are now provided with for testing the PKIX-based > path validation implementations of the world for RFC 5280 compliance > ("Applications conforming to this profile MUST be able to process name > constraints that are imposed on the directoryName name form and SHOULD > be able to process name constraints that are imposed on the rfc822Name, > uniformResourceIdentifier, dNSName, and iPAddress name forms").
Nice. Even cut/pasting it to parse it is a bargain. Wouldn't it have been easier to have several CA certificates with smaller constraints? With such a large permitted subtree, can it really be considered constrained? Technically, it is, yes. You missed the exclusion of IPv6 addresses. So this CA can certify for any IPv6 address range. I don't think it will be very dangerous within the next year, considering current IPv6 deployment. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto