<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Bonjour,<br>
<br>
Late reply (due to vacation), inline.<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
Le 13/07/2013 02:32, Rick Andrews a écrit :<br>
</div>
<blockquote
cite="mid:544B0DD62A64C1448B2DA253C011414607B11A68B0@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.anchor
{mso-style-name:anchor;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
p.line891, li.line891, div.line891
{mso-style-name:line891;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p>
</o:p></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Section
9.7: A question about DirName in your example:<o:p></o:p></span>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">X509v3
Name Constraints: <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Permitted:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">DNS:example.com<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">DirName:
C=US, ST=MA, L=Boston, O=Example LLC<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
a Subordinate CA contains this in its Name Constraints
extension, does that mean that compliant browsers will
reject any end entity certificate issued by this Subordinate
CA unless the DN of the end entity cert is “C=US, ST=MA,
L=Boston, O=Example LLC, CN=<zero or more
labels>.example.com”?<o:p> <br>
</o:p></span></p>
</div>
</blockquote>
<br>
My reading of the standard about NameConstraints lead me to think
that:<br>
<ul>
<li>a certificate containing an empty subject name and a
SAN/dnsName with "<anything>.example.com" will be valid.
No security problem.</li>
<li>a certificate containing a subject name "C=US, ST=MA,
L=Boston, O=Example LLC, CN=*.google.com" (without any
SAN/dnsName or with a SAN/dnsName="<anything>.example.com"
will be valid. Potential security problem if the CA doesn't
follow CABF BR rules (i.e. always have SAN extension, always
copy the CN into SAN/{dnsName, ipAddress} if it contains a FQDN
or an IP address).</li>
<li>a certificate containing a subject name "C=US, ST=MA,
L=Boston, O=Example LLC, O=Google, CN=*.google.com" (with same
remarks as above regarding SAN) will be valid. Same security
risks, and the browser may display the wrong Organization in
dedicated UI elements.<br>
</li>
</ul>
</body>
</html>