On 02/11/13 14:40, Erwann Abalea wrote:
Le samedi 2 novembre 2013 08:39:53 UTC+1, Kaspar Brand a écrit :11 hours ago, a new certificate was given birth to which I would like to share with this list for edification purposes. I think that the audience here should be able to fully appreciate what marvellous real-world example we are now provided with for testing the PKIX-based path validation implementations of the world for RFC 5280 compliance ("Applications conforming to this profile MUST be able to process name constraints that are imposed on the directoryName name form and SHOULD be able to process name constraints that are imposed on the rfc822Name, uniformResourceIdentifier, dNSName, and iPAddress name forms").Nice. Even cut/pasting it to parse it is a bargain. Wouldn't it have been easier to have several CA certificates with smaller constraints? With such a large permitted subtree, can it really be considered constrained? Technically, it is, yes. You missed the exclusion of IPv6 addresses. So this CA can certify for any IPv6 address range. I don't think it will be very dangerous within the next year, considering current IPv6 deployment.
Nonetheless, that IPv6 omission means that this CA certificate is unfortunately _not_ considered technically constrained according to the Mozilla CA Certificate Inclusion Policy.
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
