[cabfpub] More changes to proposed policy update

Chris Palmer palmer at google.com
Thu May 24 20:37:57 UTC 2012

On Thu, May 24, 2012 at 6:42 AM, 王文正 <wcwang at cht.com.tw> wrote:

> For the criticality of the Name Constraints extension, the text in the ITU-T X.509 standard reads "It is recommended that it be flagged critical; otherwise,
> a certificate user may not check that subsequent certificates in a certification path are located in the constrained name spaces intended by the issuing CA."

Sure, but otherwise-acceptable certificate chains fail in some clients
when the client sees critical fields it doesn't understand. That
effectively stops us from deploying name-constrained certificates
without an Internet Flag Day where everyone fixes their clients. Since
that is not going to happen, the way to get incremental improvement is
to allow non-critical name constraints, and for the vendors of smart
clients to enforce them where present.

That is, to smart clients they will be effectively critical, but dumb
clients at least won't explode. That's not ideal, but it is
significantly Better Than Nothing. Name constraints are so wonderfully
good that it's still very nice to get their benefits in some clients,
even if not in all clients.

So Google would most likely vote for it and implement it.

If it's not safe, is it really usable?

More information about the Public mailing list