[cabfpub] More changes to proposed policy update

Steve Roylance steve.roylance at globalsign.com
Fri May 25 11:00:11 UTC 2012

Hi Wen-Cheng,

There will be a motion shortly to allow this into the BR and EV guidelines
to ensure business continuity with a path towards full security.

If we allow it to be accepted and we then push the non compliant (dumb)
clients to recognize the extension ASAP then it's the best way of
protecting the majority in the shortest time.

If we don't allow it to be accepted then the ONLY real alternative is to
NOT constrain at all and push all parties towards audit, where compromises
can and have happened.

A technical constraint for 75% of the people is better than a non
technical constraint for 100% i.e. 25% at risk rather than 100%.

Crowd sourcing on certificates that fail due to constraints will identify
issues faster than ones which are not constrained and slip past.

I hope that helps your understand at least my logic for approving this


On 25/05/2012 11:43, "王文正" <wcwang at cht.com.tw> wrote:

>I do not get the logic here.
>Since the purpose of adding the Name Constraints extension is to
>technically constrain the name space the externally-operated subordinate
>CA is allowed to issue subsequent certificates, I do not see how this
>purpose can be accomplished if we allow clients to ignore the Name
>Constraints extension (by marking it non-critical).
>To those smart clients, marking the Name Constraints extension critical
>cause no problem because that extension is recognized. To those dumb
>clients, if they do not understand the meaning of the Name Constraints
>extension, it is dangerous for them to blindly accept the certificate. It
>comes naturally that those dumb clients should reject constrained
>certificate they do not understand. I do not see why allowing clients to
>blindly accept certificates which may be out of the allowed name space
>can materially reduce the risk of those that rely on us.
>I do not oppose the use of the Name Constraints extension, but I want
>that extension to be used in the correct way.
>Wen-Cheng Wang
>-----Original Message-----
>From: Ryan Hurst [mailto:ryan.hurst at globalsign.com]
>Sent: Friday, May 25, 2012 6:15 AM
>To: 'Chris Palmer'; 王文正
>Cc: public at cabforum.org
>Subject: RE: [cabfpub] More changes to proposed policy update
>I agree with Chris and others on this topic.
>The intent of a standard is to document the desired end state, only
>sometimes do they bother themselves with the transition problem (which is
>why so many never really get fully deployed IMHO).
>In this case the only downside of doing this is not complying with a
>clause in some document, the upside is materially reducing the risk of
>those that rely on us.
>We are actively moving our customers to this model.
>-----Original Message-----
>From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
>Behalf Of Chris Palmer
>Sent: Thursday, May 24, 2012 1:38 PM
>To: 王文正
>Cc: public at cabforum.org
>Subject: Re: [cabfpub] More changes to proposed policy update
>On Thu, May 24, 2012 at 6:42 AM, 王文正 <wcwang at cht.com.tw> wrote:
>> For the criticality of the Name Constraints extension, the text in the
>> ITU-T X.509 standard reads "It is recommended that it be flagged
>>critical; otherwise, a certificate user may not check that subsequent
>>certificates in a certification path are located in the constrained name
>>spaces intended by the issuing CA."
>Sure, but otherwise-acceptable certificate chains fail in some clients
>when the client sees critical fields it doesn't understand. That
>effectively stops us from deploying name-constrained certificates without
>an Internet Flag Day where everyone fixes their clients. Since that is
>not going to happen, the way to get incremental improvement is to allow
>non-critical name constraints, and for the vendors of smart clients to
>enforce them where present.
>That is, to smart clients they will be effectively critical, but dumb
>clients at least won't explode. That's not ideal, but it is significantly
>Better Than Nothing. Name constraints are so wonderfully good that it's
>still very nice to get their benefits in some clients, even if not in all
>So Google would most likely vote for it and implement it.
>If it's not safe, is it really usable?
>Public mailing list
>Public at cabforum.org
>Public mailing list
>Public at cabforum.org

More information about the Public mailing list