> This is a "security issue" in the sense that is a Type-II error (disallowing > good > guys). It affects thousands of sites and who-knows-how-many users.
Well, kinda. It disallows good guys who made a mistake and are violating the RFC. Sure, they're not written in stone and that particular RFC has its share of issues, but calling this a security issue doesn't seem right. Allowing greater interop, with minimal security exposure, seems a better way to put it. A more compliant fix is to re-issue the CA and its subordinates, while working the RFC issues through the IETF. But OpenSSL is very pragmatic. > *** It would make sense to fix the nameConstraints bypass bug > *** [openssl.org #3502] at the same time. That's a bigger change and the RT commentary has lots of caveats about the code there as you know (since you wrote them). > *** Otherwise the whole nameConstraints concept is pretty much > *** pointless. There are those who think that anyway. _______________________________________________ openssl-dev mailing list [email protected] https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
