<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoFootnoteText, li.MsoFootnoteText, div.MsoFootnoteText
{mso-style-link:"Footnote Text Char";
margin:0in;
margin-bottom:.0001pt;
text-align:justify;
font-size:10.0pt;
font-family:"Arial","sans-serif";}
span.MsoFootnoteReference
{vertical-align:super;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.FootnoteTextChar
{mso-style-name:"Footnote Text Char";
mso-style-link:"Footnote Text";
font-family:"Arial","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
/* Page Definitions */
@page
{mso-endnote-separator:url("cid:header.htm\@01CD3A4A.3A4E3FD0") es;
mso-endnote-continuation-separator:url("cid:header.htm\@01CD3A4A.3A4E3FD0") ecs;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:682780365;
mso-list-type:hybrid;
mso-list-template-ids:-1578495222 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Unfortunately not 100% of browsers or email clients support enforcing name constraints, with that they all support honoring the </span><a href="http://www.ietf.org/rfc/rfc3280.txt"><span style='font-family:"Verdana","sans-serif"'>RFC 3280</span></a><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'> behavior for critical extensions (see section 4.2), which states:<o:p></o:p></span></p><pre><span style='color:black'><o:p> </o:p></span></pre><pre style='margin-left:.5in'><span style='font-size:9.0pt;color:black'>A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize<o:p></o:p></span></pre><p class=MsoNormal><span style='font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>This means by marking the Name Constraints extension Critical those implementations that do not support the concept will “fail-closed”. While this does mean that a certificate issued by a constrained CA may not work in some limited cases where it might have otherwise, it does mean that it can be used as a secure mechanism to restrict the damage that can happen if that CA is compromised.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>With that said, support for name constraints is actually quite good as the following table illustrates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'><o:p> </o:p></span></p><table class=MsoTableGrid border=1 cellspacing=0 cellpadding=0 width=673 style='width:504.9pt;border-collapse:collapse;border:none'><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'><o:p> </o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Honor Criticality<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Support Basic Constraints <o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Supports DNS Name Constraints<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Supports RFC 822 Name Constraints<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Supports Policy Constraints<o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Supports constrained EKU<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Successfully enforces<o:p></o:p></span></p></td></tr><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>IE <a style='mso-footnote-id:ftn1' href="#_ftn1" name="_ftnref1" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white;mso-fareast-language:EN-US'>[1]</span></span></span></a><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>N/A</span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Open)<o:p></o:p></span></p></td></tr><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Outlook<sup>1</sup><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Open)<o:p></o:p></span></p></td></tr><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Firefox<sup>1</sup><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Open)<o:p></o:p></span></p></td></tr><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Thunderbird<sup>1</sup><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Open)<o:p></o:p></span></p></td></tr><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Opera<sup>1</sup><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<a style='mso-footnote-id:ftn2' href="#_ftn2" name="_ftnref2" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white;mso-fareast-language:EN-US'>[2]</span></span></span></a><o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<sup>2</sup><o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<sup>2</sup><o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (SSL only)<span class=MsoFootnoteReference> <a style='mso-footnote-id:ftn3' href="#_ftn3" name="_ftnref3" title=""><span class=MsoFootnoteReference><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white;mso-fareast-language:EN-US'>[3]</span></span></a></span><o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Closed)<o:p></o:p></span></p></td></tr><tr style='height:23.35pt'><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Windows / Safari<sup>1</sup><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:23.35pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Open)<o:p></o:p></span></p></td></tr><tr><td width=93 valign=top style='width:69.6pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>OSX / Safari<a style='mso-footnote-id:ftn4' href="#_ftn4" name="_ftnref4" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white;mso-fareast-language:EN-US'>[4]</span></span></span></a><o:p></o:p></span></p></td><td width=71 valign=top style='width:53.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes<o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<a style='mso-footnote-id:ftn5' href="#_ftn5" name="_ftnref5" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white;mso-fareast-language:EN-US'>[5]</span></span></span></a><o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<sup>5</sup><o:p></o:p></span></p></td><td width=83 valign=top style='width:62.15pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<sup>5</sup><o:p></o:p></span></p></td><td width=84 valign=top style='width:63.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>No<o:p></o:p></span></p></td><td width=93 valign=top style='width:70.05pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>Yes (Closed)<o:p></o:p></span></p></td></tr></table><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>What this table shows is:<o:p></o:p></span></p><p class=MsoListParagraphCxSpFirst style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>It is possible to rely on the name constraints extension as an effective enforcement technique if the extension is marked as critical.<o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>It is possible to rely on the Basic Constraints extension as an effective enforcement technique.<o:p></o:p></span></p><p class=MsoListParagraphCxSpLast style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>In the case of Safari and Opera that this success is due to these browsers support of honoring the semantics for critical extensions vs. understanding the constraints.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'>For customers this means if you must interoperate with Opera or Safari the use of a certificate with a “Critical” “Name Constraints extension” in it will result in the certificate chain looking invalid; Thankfully according to </span><a href="http://gs.statcounter.com"><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";background:white'>StatCounter</span></a><span style='font-size:9.0pt;font-family:"Verdana","sans-serif";color:#666666;background:white'> these represent less than 6% of all browsers on the Internet and antidotal evidence shows almost no use in the enterprise.<o:p></o:p></span></p><p class=MsoPlainText><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><span class=MsoFootnoteReference><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif";mso-fareast-language:EN-US'>[1]</span></span></span></span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Tests on Windows were completed with Windows 7, IE 9.0, Outlook 2007, Safari 5.05, Opera 11.61, Firefox/Thunderbird 10.0.2.<o:p></o:p></span></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>2</span></span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> <a href="http://www.openssl.org"><span lang=EN-US>OpenSSL</span></a></span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> supports name constraints for both name forms as well as policy constraints, Opera has chosen not to enable thee capabilities until demand was present. This work was done in OpenSSL in 2008 as part of a contract to Google.<o:p></o:p></span></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>3</span></span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> Opera uses <a href="http://www.openssl.org"><span lang=EN-US>OpenSSL</span></a></span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> which </span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>supports </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>restricting</span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> a CA </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>from issuing valid</span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> SSL server </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>certificates</span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> if it’s parent </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>did </span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>not place the SSL EKU in </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>it’s</span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>certificate</span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>.</span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>4</span></span><span lang=FR style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> </span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>Tests on OSX were completed with Lion and Safari 5.05<o:p></o:p></span></p><p class=MsoPlainText><span class=MsoFootnoteReference><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'>5</span></span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'> Safari on the Mac uses the <a href="http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html">PKITS</a> tests so they are aware of the deficiency in their validation logic, they have not publically stated they will support them but we expect support in the future.<o:p></o:p></span></p><p class=MsoPlainText><a name="_MailEndCompose"><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></a></p><p class=MsoPlainText>-----Original Message-----<br>From: Bruce Morton [mailto:bruce.morton@entrust.com] <br>Sent: Friday, May 25, 2012 7:24 AM<br>To: '???'; 'Rob Stradling'; 'Ryan Hurst'; 'Steve Roylance'; 'Chris Palmer'<br>Cc: 'public@cabforum.org'<br>Subject: RE: [cabfpub] More changes to proposed policy update</p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Does anyone know what major browsers/operating systems will properly support non-critical Name Constraints?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Thanks, Bruce.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<o:p></o:p></p><p class=MsoPlainText>From: <a href="mailto:public-bounces@cabforum.org"><span style='color:windowtext;text-decoration:none'>public-bounces@cabforum.org</span></a> <a href="mailto:[mailto:public-bounces@cabforum.org]"><span style='color:windowtext;text-decoration:none'>[mailto:public-bounces@cabforum.org]</span></a> On Behalf Of ???<o:p></o:p></p><p class=MsoPlainText>Sent: Friday, May 25, 2012 9:42 AM<o:p></o:p></p><p class=MsoPlainText>To: Rob Stradling; Ryan Hurst; Steve Roylance; 'Chris Palmer'<o:p></o:p></p><p class=MsoPlainText>Cc: <a href="mailto:public@cabforum.org"><span style='color:windowtext;text-decoration:none'>public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText>Subject: Re: [cabfpub] More changes to proposed policy update<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Dear Rob, Steve, Ryan and Chris,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Thank you all for your patience in explain your logic.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Now I understand your rationale goes like this: If we turn the Name Constraints extension into an 'informative' extension first by marking it non-critical, hopefully it will become a real constraint-type extension in the end.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Making it as an informative extension is better than nothing. Maybe you are right. However, my guess is it will stay as an informative extension forever. I do not believe allowing the non-critical Name Constraints extension can help pushing the world to reach the desired end state (I mean all clients become supporting the critical Name Constraints extension.). Since it is non-critical, it will not provide the motive power to push those dumb clients to change themselves because they can simply ignore it. On the contrary, I think marking the Name Constraints extension critical is the way to provide the motive power. If dumb clients explode, their users will ask the implementers to support it. Otherwise, the users will switch to more smart clients. I do understand that if we goes this way, the process to reach the desired end state might be bloody. If your goal is to reach the desired end state, this is the way that can really accelerate the process.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>If the forum finally decide to approve the motion of allowing non-critical Name Constraints extension, then we should ask ourselves a question: when will we turn back to change the BR to require marking the Name Constraints extension as critical? Until 100% of clients become smart? Or 95% (whatever) is acceptable? Can we really reach the so-called "desired end state" in this way?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Wen-Cheng Wang<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<o:p></o:p></p><p class=MsoPlainText>From: Rob Stradling <a href="mailto:[mailto:rob.stradling@comodo.com]"><span style='color:windowtext;text-decoration:none'>[mailto:rob.stradling@comodo.com]</span></a><o:p></o:p></p><p class=MsoPlainText>Sent: Friday, May 25, 2012 7:12 PM<o:p></o:p></p><p class=MsoPlainText>To: <span style='font-family:"MS Gothic"'>王文正</span><o:p></o:p></p><p class=MsoPlainText>Cc: Ryan Hurst; 'Chris Palmer'; <a href="mailto:public@cabforum.org"><span style='color:windowtext;text-decoration:none'>public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText>Subject: Re: [cabfpub] More changes to proposed policy update<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On 25/05/12 11:43, <span style='font-family:"MS Gothic"'>王文正</span> wrote:<o:p></o:p></p><p class=MsoPlainText>> I do not get the logic here.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I think Ryan's post explained the logic clearly and succinctly.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>You're looking only at the "desired end state". Please consider the "transition problem".<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Security versus Usability. If we can't ever Use it in practice, we won't ever benefit from the Security it offers.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Today, Critical Name Constraints are considered undeployable by many CAs, because too much relying party software would break. Therefore, using the Name Constraints extension _at all_ is not an option for us.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Non-critical Name Constraints are better than No Name Constraints!<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The "desired end state" is...<o:p></o:p></p><p class=MsoPlainText>1. Name Constraints always Critical.<o:p></o:p></p><p class=MsoPlainText>2. Name Constraints actually used!<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>If you can suggest an alternative way to solve the "transition problem" <o:p></o:p></p><p class=MsoPlainText>so that we can reach the "desired end state", we would love to hear it!<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Nobody is suggesting that CAs should be prohibited from setting the Name Constraints extension to Critical. All we are saying is that CAs should be allowed to use non-critical Name Constraints instead of No Name Constraints at all.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>> Since the purpose of adding the Name Constraints extension is to technically constrain the name space the externally-operated subordinate CA is allowed to issue subsequent certificates, I do not see how this purpose can be accomplished if we allow clients to ignore the Name Constraints extension (by marking it non-critical).<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> To those smart clients, marking the Name Constraints extension critical cause no problem because that extension is recognized. To those dumb clients, if they do not understand the meaning of the Name Constraints extension, it is dangerous for them to blindly accept the certificate. It comes naturally that those dumb clients should reject constrained certificate they do not understand. I do not see why allowing clients to blindly accept certificates which may be out of the allowed name space can materially reduce the risk of those that rely on us.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> I do not oppose the use of the Name Constraints extension, but I want that extension to be used in the correct way.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> Wen-Cheng Wang<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> -----Original Message-----<o:p></o:p></p><p class=MsoPlainText>> From: Ryan Hurst <a href="mailto:[mailto:ryan.hurst@globalsign.com]"><span style='color:windowtext;text-decoration:none'>[mailto:ryan.hurst@globalsign.com]</span></a><o:p></o:p></p><p class=MsoPlainText>> Sent: Friday, May 25, 2012 6:15 AM<o:p></o:p></p><p class=MsoPlainText>> To: 'Chris Palmer'; <span style='font-family:"MS Gothic"'>王文正</span><o:p></o:p></p><p class=MsoPlainText>> Cc: <a href="mailto:public@cabforum.org"><span style='color:windowtext;text-decoration:none'>public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText>> Subject: RE: [cabfpub] More changes to proposed policy update<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> I agree with Chris and others on this topic.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> The intent of a standard is to document the desired end state, only sometimes do they bother themselves with the transition problem (which is why so many never really get fully deployed IMHO).<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> In this case the only downside of doing this is not complying with a clause in some document, the upside is materially reducing the risk of those that rely on us.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> We are actively moving our customers to this model.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> Ryan<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> -----Original Message-----<o:p></o:p></p><p class=MsoPlainText>> From: <a href="mailto:public-bounces@cabforum.org"><span style='color:windowtext;text-decoration:none'>public-bounces@cabforum.org</span></a> <a href="mailto:[mailto:public-bounces@cabforum.org]"><span style='color:windowtext;text-decoration:none'>[mailto:public-bounces@cabforum.org]</span></a><o:p></o:p></p><p class=MsoPlainText>> On Behalf Of Chris Palmer<o:p></o:p></p><p class=MsoPlainText>> Sent: Thursday, May 24, 2012 1:38 PM<o:p></o:p></p><p class=MsoPlainText>> To: <span style='font-family:"MS Gothic"'>王文正</span><o:p></o:p></p><p class=MsoPlainText>> Cc: <a href="mailto:public@cabforum.org"><span style='color:windowtext;text-decoration:none'>public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText>> Subject: Re: [cabfpub] More changes to proposed policy update<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> On Thu, May 24, 2012 at 6:42 AM, <span style='font-family:"MS Gothic"'>王文正</span><<a href="mailto:wcwang@cht.com.tw"><span style='color:windowtext;text-decoration:none'>wcwang@cht.com.tw</span></a>> wrote:<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>>> For the criticality of the Name Constraints extension, the text in <o:p></o:p></p><p class=MsoPlainText>>> the ITU-T X.509 standard reads "It is recommended that it be flagged critical; otherwise, a certificate user may not check that subsequent certificates in a certification path are located in the constrained name spaces intended by the issuing CA."<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> Sure, but otherwise-acceptable certificate chains fail in some clients when the client sees critical fields it doesn't understand. That effectively stops us from deploying name-constrained certificates without an Internet Flag Day where everyone fixes their clients. Since that is not going to happen, the way to get incremental improvement is to allow non-critical name constraints, and for the vendors of smart clients to enforce them where present.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> That is, to smart clients they will be effectively critical, but dumb clients at least won't explode. That's not ideal, but it is significantly Better Than Nothing. Name constraints are so wonderfully good that it's still very nice to get their benefits in some clients, even if not in all clients.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> So Google would most likely vote for it and implement it.<o:p></o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>><o:p> </o:p></p><p class=MsoPlainText>> --<o:p></o:p></p><p class=MsoPlainText>> If it's not safe, is it really usable?<o:p></o:p></p><p class=MsoPlainText>> _______________________________________________<o:p></o:p></p><p class=MsoPlainText>> Public mailing list<o:p></o:p></p><p class=MsoPlainText>> <a href="mailto:Public@cabforum.org"><span style='color:windowtext;text-decoration:none'>Public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText>> <a href="http://cabforum.org/mailman/listinfo/public"><span style='color:windowtext;text-decoration:none'>http://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p><p class=MsoPlainText>> _______________________________________________<o:p></o:p></p><p class=MsoPlainText>> Public mailing list<o:p></o:p></p><p class=MsoPlainText>> <a href="mailto:Public@cabforum.org"><span style='color:windowtext;text-decoration:none'>Public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText>> <a href="http://cabforum.org/mailman/listinfo/public"><span style='color:windowtext;text-decoration:none'>http://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>--<o:p></o:p></p><p class=MsoPlainText>Rob Stradling<o:p></o:p></p><p class=MsoPlainText>Senior Research & Development Scientist<o:p></o:p></p><p class=MsoPlainText>COMODO - Creating Trust Online<o:p></o:p></p><p class=MsoPlainText>Office Tel: +44.(0)1274.730505<o:p></o:p></p><p class=MsoPlainText>Office Fax: +44.(0)1274.730909<o:p></o:p></p><p class=MsoPlainText><a href="http://www.comodo.com"><span style='color:windowtext;text-decoration:none'>www.comodo.com</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>COMODO CA Limited, Registered in England No. 04058690 Registered Office:<o:p></o:p></p><p class=MsoPlainText> 3rd Floor, 26 Office Village, Exchange Quay,<o:p></o:p></p><p class=MsoPlainText> Trafford Road, Salford, Manchester M5 3EQ<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.<o:p></o:p></p><p class=MsoPlainText>_______________________________________________<o:p></o:p></p><p class=MsoPlainText>Public mailing list<o:p></o:p></p><p class=MsoPlainText><a href="mailto:Public@cabforum.org"><span style='color:windowtext;text-decoration:none'>Public@cabforum.org</span></a><o:p></o:p></p><p class=MsoPlainText><a href="http://cabforum.org/mailman/listinfo/public"><span style='color:windowtext;text-decoration:none'>http://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p></div><div style='mso-element:footnote-list'><br clear=all><hr align=left size=1 width="33%"><div style='mso-element:footnote' id=ftn1><p class=MsoFootnoteText><a style='mso-footnote-id:ftn1' href="#_ftnref1" name="_ftn1" title=""><span class=MsoFootnoteReference><span lang=FR><span class=MsoFootnoteReference><span lang=FR style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>[1]</span></span></span></span></a><span lang=FR> </span>Tests on Windows were completed with Windows 7, IE 9.0, Outlook 2007, Safari 5.05, Opera 11.61, Firefox/Thunderbird 10.0.2.<o:p></o:p></p></div><div style='mso-element:footnote' id=ftn2><p class=MsoFootnoteText><a style='mso-footnote-id:ftn2' href="#_ftnref2" name="_ftn2" title=""><span class=MsoFootnoteReference><span lang=FR><span class=MsoFootnoteReference><span lang=FR style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>[2]</span></span></span></span></a><span lang=FR> <a href="http://www.openssl.org"><span lang=EN-US>OpenSSL</span></a></span> supports name constraints for both name forms as well as policy constraints, Opera has chosen not to enable thee capabilities until demand was present. This work was done in OpenSSL in 2008 as part of a contract to Google.<o:p></o:p></p></div><div style='mso-element:footnote' id=ftn3><p class=MsoFootnoteText><a style='mso-footnote-id:ftn3' href="#_ftnref3" name="_ftn3" title=""><span class=MsoFootnoteReference><span lang=FR><span class=MsoFootnoteReference><span lang=FR style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>[3]</span></span></span></span></a><span lang=FR> Opera uses <a href="http://www.openssl.org"><span lang=EN-US>OpenSSL</span></a></span> which <span lang=FR>supports </span>restricting<span lang=FR> a CA </span>from issuing valid<span lang=FR> SSL server </span>certificates<span lang=FR> if it’s parent </span>did <span lang=FR>not place the SSL EKU in </span>it’s certificate<span lang=FR>.</span><o:p></o:p></p></div><div style='mso-element:footnote' id=ftn4><p class=MsoFootnoteText><a style='mso-footnote-id:ftn4' href="#_ftnref4" name="_ftn4" title=""><span class=MsoFootnoteReference><span lang=FR><span class=MsoFootnoteReference><span lang=FR style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>[4]</span></span></span></span></a><span lang=FR> </span>Tests on OSX were completed with Lion and Safari 5.05<o:p></o:p></p></div><div style='mso-element:footnote' id=ftn5><p class=MsoFootnoteText><a style='mso-footnote-id:ftn5' href="#_ftnref5" name="_ftn5" title=""><span class=MsoFootnoteReference><span lang=FR><span class=MsoFootnoteReference><span lang=FR style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>[5]</span></span></span></span></a><span lang=FR> </span>Safari on the Mac uses the <span lang=FR><a href="http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html"><span lang=EN-US>PKITS</span></a></span> tests so they are aware of the deficiency in their validation logic, they have not publically stated they will support them but we expect support in the future.<o:p></o:p></p></div></div></body></html>