[cabfpub] More changes to proposed policy update
wcwang at cht.com.tw
Fri May 25 10:43:18 UTC 2012
I do not get the logic here.
Since the purpose of adding the Name Constraints extension is to technically constrain the name space the externally-operated subordinate CA is allowed to issue subsequent certificates, I do not see how this purpose can be accomplished if we allow clients to ignore the Name Constraints extension (by marking it non-critical).
To those smart clients, marking the Name Constraints extension critical cause no problem because that extension is recognized. To those dumb clients, if they do not understand the meaning of the Name Constraints extension, it is dangerous for them to blindly accept the certificate. It comes naturally that those dumb clients should reject constrained certificate they do not understand. I do not see why allowing clients to blindly accept certificates which may be out of the allowed name space can materially reduce the risk of those that rely on us.
I do not oppose the use of the Name Constraints extension, but I want that extension to be used in the correct way.
From: Ryan Hurst [mailto:ryan.hurst at globalsign.com]
Sent: Friday, May 25, 2012 6:15 AM
To: 'Chris Palmer'; 王文正
Cc: public at cabforum.org
Subject: RE: [cabfpub] More changes to proposed policy update
I agree with Chris and others on this topic.
The intent of a standard is to document the desired end state, only sometimes do they bother themselves with the transition problem (which is why so many never really get fully deployed IMHO).
In this case the only downside of doing this is not complying with a clause in some document, the upside is materially reducing the risk of those that rely on us.
We are actively moving our customers to this model.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Chris Palmer
Sent: Thursday, May 24, 2012 1:38 PM
Cc: public at cabforum.org
Subject: Re: [cabfpub] More changes to proposed policy update
On Thu, May 24, 2012 at 6:42 AM, 王文正 <wcwang at cht.com.tw> wrote:
> For the criticality of the Name Constraints extension, the text in the
> ITU-T X.509 standard reads "It is recommended that it be flagged critical; otherwise, a certificate user may not check that subsequent certificates in a certification path are located in the constrained name spaces intended by the issuing CA."
Sure, but otherwise-acceptable certificate chains fail in some clients when the client sees critical fields it doesn't understand. That effectively stops us from deploying name-constrained certificates without an Internet Flag Day where everyone fixes their clients. Since that is not going to happen, the way to get incremental improvement is to allow non-critical name constraints, and for the vendors of smart clients to enforce them where present.
That is, to smart clients they will be effectively critical, but dumb clients at least won't explode. That's not ideal, but it is significantly Better Than Nothing. Name constraints are so wonderfully good that it's still very nice to get their benefits in some clients, even if not in all clients.
So Google would most likely vote for it and implement it.
If it's not safe, is it really usable?
Public mailing list
Public at cabforum.org
More information about the Public