<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Bonjour,
<div class=""><br class="">
</div>
<div class="">Looking from the other side (relying party), consider a CA certificate having a NameConstraints extension without the otherName:SRVName type, and a subscriber certificate containing such a otherName:SRVName entry in the SAN.</div>
<div class=""><br class="">
</div>
<div class="">X.509/RFC5280 validation rules say that the subscriber certificate is valid. What the proposed text says is that if the CA is public then this is a fault, just like issuing certificates with other kind of otherName entries or non qualified hostnames.
Not perfect, but we already did it.</div>
<div class=""><br class="">
</div>
<div class="">The subject of Technically Constrained CAs was raised before, I raise it here again, there is no standard way for a CA to issue a subordinate CA certificate and technically deny its ability to issue subscriber certificates with any kind of SRVName
entries.</div>
<div class="">I asked the IETF/PKIX group (or what remains) in July about this issue, the only 2 proposed solutions were:</div>
<div class=""><br class="">
</div>
<div class="">1/ have a NC:permittedSubtrees containing an invalid SRVName (« _invalid.invalid »)</div>
<div class="">2/ have a NC:excludedSubtrees (or permitted?) containing a non defined value, SRVName = « _ »; it can only work if « _ » is considered the same for every application, either « matches everything » or « rejects everything » (everything being service
name AND domain name)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div class="">Cordialement,</div>
<div class="">Erwann Abalea</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">Le 27 sept. 2016 à 23:11, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" class="">jeremy.rowley@digicert.com</a>> a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<span class="">Resurrecting this ballot after it’s long hiatus. It’s essentially the same, but I removed the underscore modification.<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
-- MOTION BEGINS –<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
Effective immediately, the follow changes are made to the Baseline Requirements:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in;" class="">
<span style="font-size: 11pt;" class=""><span class="">A)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span style="font-size: 11pt;" class="">Section
4.2.2 of the Baseline Requirements is replaced with “No Stipulation”<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">
<span style="font-size: 11pt;" class=""> </span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in;" class="">
<span style="font-size: 11pt;" class=""><span class="">B)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span style="font-size: 11pt;" class="">Add
the following definition to Section 1.6.1:<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<u class="">Wildcard Domain Name: A Domain Name formed by prepending '*.' to a FQDN.<o:p class=""></o:p></u></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">
<span style="font-size: 11pt;" class=""> </span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in;" class="">
<span style="font-size: 11pt;" class=""><span class="">C)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span style="font-size: 11pt;" class="">Section
7.1.4.2.1 is amended as follows:<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<b class="">Certificate Field:</b><span class="Apple-converted-space"> </span>extensions:subjectAltName<span class="Apple-converted-space"> </span><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<b class="">Required/Optional:</b><span class="Apple-converted-space"> </span>Required<span class="Apple-converted-space"> </span><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<b class="">Contents:</b><span class="Apple-converted-space"> </span>This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully<span style="font-family: 'Cambria Math', serif;" class="">‐</span>Qualified Domain
Name,<span class="Apple-converted-space"> </span><u class="">Wildcard Domain Name,</u><span class="Apple-converted-space"> </span><s class="">or<span class="Apple-converted-space"> </span></s>an iPAddress containing the IP address of a server,<span class="Apple-converted-space"> </span><u class="">or
an otherName of type SRVName as defined in RFC4985</u>.<span class="Apple-converted-space"> </span><u class="">An entry MUST NOT be an Internal name or Reserved IP Address.</u><span class="Apple-converted-space"> </span>The CA MUST confirm the entry as follows:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in;" class="">
<span style="font-size: 11pt;" class=""><span class="">a)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><u class=""><span style="font-size: 11pt;" class="">For
a</span></u><span style="font-size: 11pt;" class=""><span class="Apple-converted-space"> </span>Fully</span><span style="font-size: 11pt; font-family: 'Cambria Math', serif;" class="">‐</span><span style="font-size: 11pt;" class="">Qualified Domain Name<span class="Apple-converted-space"> </span><u class="">or
Wildcard Domain Name entry, the CA MUST verify the entry in accordance with Section 3.2.2.4;</u><o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in;" class="">
<span style="font-size: 11pt;" class=""><span class="">b)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><u class=""><span style="font-size: 11pt;" class="">For
a SRVName entry, the CA MUST verify the Name portion of the entry in accordance with Section 3.2.2.4; and<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></u></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; text-indent: -0.25in;" class="">
<span style="font-size: 11pt;" class=""><span class="">c)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><u class=""><span style="font-size: 11pt;" class="">For</span></u><span style="font-size: 11pt;" class=""><span class="Apple-converted-space"> </span>an
IP address entry,<span class="Apple-converted-space"> </span><u class="">the CA MUST verify the entry in accordance with Section 3.2.2.5</u><span class="Apple-converted-space"> </span><s class="">or has been granted the right to use it by the Domain Name Registrant
or IP address assignee, as appropriate</s>.<span class="Apple-converted-space"> </span><s class="">Wildcard FQDNs are permitted.</s><o:p class=""></o:p></span></div>
<p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">
<u class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class="">As exceptions to RFC5280 and X.509, dNSName entries MAY contain Wildcard Domain Names. SRVName entries MUST NOT contain Wildcard Domain Names.</span></u><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""></o:p></span></p>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<u class="">If a name constrained CA has a dNSName constraint but does not have a constraint for SRVNames, the CA MUST NOT issue certificates containing SRVNames.</u><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<s class="">As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that
the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the</s><span class="Apple-converted-space"> </span>CA<u class="">s</u>SHALL NOT issue a certificate<span class="Apple-converted-space"> </span><s class="">with
an Expiry Date later than 1 November 2015<span class="Apple-converted-space"> </span></s>with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired
Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name.<span class="Apple-converted-space"> </span><s class="">Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with
an Internal Name using onion as the right</s><s class=""><span style="font-family: 'Cambria Math', serif;" class="">‐</span>most label in an entry in the subjectAltName Extension or commonName field unless such Certificate was issued in accordance with Appendix
F of the EV Guidelines.<o:p class=""></o:p></s></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
---- END BALLOT ----<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</div>
<span id="cid:786951C4-0E37-48E0-942D-371B50BD64BF@docusignhq.com"><SRV Name Proposal.pdf></span><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Public
mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<a href="mailto:Public@cabforum.org" style="color: rgb(149, 79, 114); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Public@cabforum.org</a><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<a href="https://cabforum.org/mailman/listinfo/public" style="color: rgb(149, 79, 114); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://cabforum.org/mailman/listinfo/public</a></div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>