[cabfpub] More changes to proposed policy update

Rob Stradling rob.stradling at comodo.com
Wed May 23 09:19:31 UTC 2012

On 23/05/12 09:57, Rob Stradling wrote:
> On 23/05/12 09:54, Rob Stradling wrote:
> <snip>
>> (Cross-posting to the new CABForum public list, 'cos that's probably
>> where we should continue this discussion!)
> Doh!  The correct address for the cabfpub list is public at cabforum.org.

And here's the original message...

On 23/05/12 00:52, Kathleen Wilson wrote:
 > I think we're only talking about two exceptions to the BRs, and one of
 > those exceptions is simply because critical name constraints are not
 > yet widely enough supported (hopefully that will change soon). Since
 > we are planning to require name constraints in certain situations, we
 > need to allow a use of them that will work in practice.

I don't see how allowing non-critical Name Constraints in just the 
Mozilla policy "will work in practice".

RFC5280 says that Name Constraints MUST be critical.
The Baseline Requirements v1.0 says "All other fields and extensions 
MUST be set in accordance to RFC 5280", meaning Name Constraints MUST be 

Mozilla plans to allow non-critical Name Constraints and maybe some 
other browser/software vendors will follow suit, but I think we have to 
assume that at least some browser/software vendors will choose to 
require strict adherence to the BRs.

So it's likely that using non-critical Name Constraints would violate at 
least one browser/software vendor's policy, which in practice would mean 
that most CAs would _not_ be able to use non-critical Name Constraints. 
  (Very few CAs need to follow _only_ Mozilla's policy!)

The consensus on the PKIX list seemed to be against updating RFC5280 to 
allow non-critical Name Constraints, but several folks suggested that it 
would be reasonable for the Baseline Requirements to be modified to 
allow non-critical Name Constraints.

Therefore, I think that Mozilla should propose a change to the Baseline 
Requirements to allow non-critical Name Constraints.  I'd be happy to 
endorse it.  I'd be surprised if anybody voted against it!

After that, there would be no need to have an exception in the Mozilla 
policy, and we would be able to say that non-critical Name Constraints 
"will work in practice".

(Cross-posting to the new CABForum public list, 'cos that's probably 
where we should continue this discussion!)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list