[cabfpub] More changes to proposed policy update

Rob Stradling rob.stradling at comodo.com
Fri May 25 11:11:50 UTC 2012

On 25/05/12 11:43, 王文正 wrote:
> I do not get the logic here.

I think Ryan's post explained the logic clearly and succinctly.

You're looking only at the "desired end state".  Please consider the 
"transition problem".

Security versus Usability.  If we can't ever Use it in practice, we 
won't ever benefit from the Security it offers.

Today, Critical Name Constraints are considered undeployable by many 
CAs, because too much relying party software would break.  Therefore, 
using the Name Constraints extension _at all_ is not an option for us.

Non-critical Name Constraints are better than No Name Constraints!

The "desired end state" is...
1. Name Constraints always Critical.
2. Name Constraints actually used!

If you can suggest an alternative way to solve the "transition problem" 
so that we can reach the "desired end state", we would love to hear it!

Nobody is suggesting that CAs should be prohibited from setting the Name 
Constraints extension to Critical.  All we are saying is that CAs should 
be allowed to use non-critical Name Constraints instead of No Name 
Constraints at all.

> Since the purpose of adding the Name Constraints extension is to technically constrain the name space the externally-operated subordinate CA is allowed to issue subsequent certificates, I do not see how this purpose can be accomplished if we allow clients to ignore the Name Constraints extension (by marking it non-critical).
> To those smart clients, marking the Name Constraints extension critical cause no problem because that extension is recognized. To those dumb clients, if they do not understand the meaning of the Name Constraints extension, it is dangerous for them to blindly accept the certificate. It comes naturally that those dumb clients should reject constrained certificate they do not understand. I do not see why allowing clients to blindly accept certificates which may be out of the allowed name space can materially reduce the risk of those that rely on us.
> I do not oppose the use of the Name Constraints extension, but I want that extension to be used in the correct way.
> Wen-Cheng Wang
> -----Original Message-----
> From: Ryan Hurst [mailto:ryan.hurst at globalsign.com]
> Sent: Friday, May 25, 2012 6:15 AM
> To: 'Chris Palmer'; 王文正
> Cc: public at cabforum.org
> Subject: RE: [cabfpub] More changes to proposed policy update
> I agree with Chris and others on this topic.
> The intent of a standard is to document the desired end state, only sometimes do they bother themselves with the transition problem (which is why so many never really get fully deployed IMHO).
> In this case the only downside of doing this is not complying with a clause in some document, the upside is materially reducing the risk of those that rely on us.
> We are actively moving our customers to this model.
> Ryan
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Chris Palmer
> Sent: Thursday, May 24, 2012 1:38 PM
> To: 王文正
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] More changes to proposed policy update
> On Thu, May 24, 2012 at 6:42 AM, 王文正<wcwang at cht.com.tw>  wrote:
>> For the criticality of the Name Constraints extension, the text in the
>> ITU-T X.509 standard reads "It is recommended that it be flagged critical; otherwise, a certificate user may not check that subsequent certificates in a certification path are located in the constrained name spaces intended by the issuing CA."
> Sure, but otherwise-acceptable certificate chains fail in some clients when the client sees critical fields it doesn't understand. That effectively stops us from deploying name-constrained certificates without an Internet Flag Day where everyone fixes their clients. Since that is not going to happen, the way to get incremental improvement is to allow non-critical name constraints, and for the vendors of smart clients to enforce them where present.
> That is, to smart clients they will be effectively critical, but dumb clients at least won't explode. That's not ideal, but it is significantly Better Than Nothing. Name constraints are so wonderfully good that it's still very nice to get their benefits in some clients, even if not in all clients.
> So Google would most likely vote for it and implement it.
> --
> If it's not safe, is it really usable?
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list