Erwann, true, we did omit the required IPv6 constraint. Given the expiration of the cross-certificate, we were not able to wait for the 5.4 version of our PKI software currently in QA, which enables IPv6 excluded subtrees, to be released. We expect to make longer term arrangements with BIT at a time when we can enforce the IPv6 block.
As this is a cross certificate, we had to introduce the entire namespace in a single certificate rather than multiple CAs because the issued end entity certificates with life extending beyond the past weekend all originate from one existing CA. Only the cross certificate was expiring and it needed to cover the existing operational name space. We also wanted to document the entire researched name space at the same time that we took an exception to BR 1.1.6's 9.7/9.2.4, where to support the existing base of certificates properly we were forced to omit the required locality called for in 9.2.4 in one of the directory names. This was to be clear that we understand and intend to properly implement the requirements of 9.2.4, but had a legacy obstacle that caused one directory name to be required that omits locality and state/province. This was the o=admin,c=CH name. Given the BIT's registration of o=admin as associated to an OID in their arc, established by law, we opted to treat o=admin as a Doing Business As value supported by the QGIS of documented exclusive use of this name published on the Swiss OFCOM site. BIT now has the name constraints in place to move o=admin,c=CH directory named certificates into the more specific names we found in WHOIS data and Swiss QGIS. Rob, we opted to include the dotless and the dotted DNSNames to support https://ch.ch as well as https://www.ch.ch. I foresee doing this as regular practice, as it seems short URLs would be a burdensome reason to re-issue a subordinate CA. Granted, it's a lot of think, especially for battery-powered devices. -Steve -- View this message in context: http://mozilla.6506.n7.nabble.com/id-ce-nameConstraints-2-5-29-30-in-the-real-world-tp297147p297380.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto