[cabfpub] More changes to proposed policy update

王文正 wcwang at cht.com.tw
Thu May 24 13:42:56 UTC 2012

Well, I will be the one who votes against it.

I do not think it is a good idea to change the Baseline Requirements to allow non-critical Name Constraints.

In RFC5280, the Name Constraints extension is required to be marked as critical if it is present in a certificate. RFC5280 has its reason to require that.

For the criticality of the Name Constraints extension, the text in the ITU-T X.509 standard reads "It is recommended that it be flagged critical; otherwise,
a certificate user may not check that subsequent certificates in a certification path are located in the constrained name spaces intended by the issuing CA."

Since the purpose to add this extension into the certificate is to enforce the constrained name spaces, the only way is to mark it as critical.

Therefore, if browsers want to have some certificates containing the Name Constraints extension, let's issue them in a conforming format.
Please do not ask CAs to violate RFC5280.

Wen-Cheng Wang
Chief PKI Product Manager
Chunghwa Telecom Co., Ltd

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wan-Teh Chang
Sent: Thursday, May 24, 2012 5:36 AM
To: Rob Stradling
Cc: public at cabforum.org
Subject: Re: [cabfpub] More changes to proposed policy update

On Wed, May 23, 2012 at 2:19 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
> The consensus on the PKIX list seemed to be against updating RFC5280 
> to allow non-critical Name Constraints, but several folks suggested 
> that it would be reasonable for the Baseline Requirements to be 
> modified to allow non-critical Name Constraints.
> Therefore, I think that Mozilla should propose a change to the 
> Baseline Requirements to allow non-critical Name Constraints.  I'd be 
> happy to endorse it.  I'd be surprised if anybody voted against it!

Ideally this change should be made to RFC 5280.  Perhaps it's easier to change the Baseline Requirements than changing an RFC of the PKIX working group?

I support allowing non-critical Name Constraints.

Public mailing list
Public at cabforum.org

More information about the Public mailing list