[cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.

Steve Roylance steve.roylance at globalsign.com
Wed Jul 17 15:37:29 MST 2013


Thanks Kirk.

Yes, it looks like I missed out adding the word 'Certificate' as Name Constraints are indeed applicable to certificates/CAs and not organisations/CAs. The confusion stems from the fact we sometimes refer to both as CAs. 

I'll amend the Wiki Ballot text tomorrow morning UK time.

Thanks.

PS. Indeed NC can only be applied to a CA Certificate which issues other certificates for those constraints to be applied to. They don't make sense for end entities.



Sent from my iPhone

On 17 Jul 2013, at 18:20, "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com> wrote:

> In reading Ballot 105, our technical team has a question about Section 9.7, particularly this paragraph
>  
> If the Subordinate CA Certificate includes the id-kp-serverAuth extended key usage, then the Subordinate CA MUST include the Name Constraints X.509v3 extension with constraints on dNSName, iPAddress and DirectoryName as follows:-
>  
> (a) For each dNSName in permittedSubtrees, the CA MUST confirm that the Applicant has registered the dNSName or has been authorized by the domain registrant to act on the registrant's behalf in line with the verification practices of section 11.1
>  
> (b) For each iPAddress range in permittedSubtrees, the CA MUST confirm that the Applicant has been assigned the iPAddress range or has been authorized by the assigner to act on the assignee's behalf.
>  
> (c) For each DirectoryName in permittedSubtrees the CA MUST confirm the Applicants and/or Subsidiary’s Organizational name and location such that end entity certificates issued from the subordinate CA will be in compliancy with section 9.2.4 and 9.2.5.
>  
> The wording “then the Subordinate CA MUST include the Name Constraints X.509v3 extension” is not clear as to whether the constraints are applied to the sub CA certificate or to an EE certificate the sub CA is going to issue.  Should it read “then the Subordinate CA *certificate* MUST include the Name Constraints X.509v3 extension ***” for clarity?  Is that the intention?
>  
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential 
> and may be subject to copyright or other intellectual property protection. 
> If you are not the intended recipient, you are not authorized to use or 
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130717/7969e91c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4041 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130717/7969e91c/attachment.bin 


More information about the Public mailing list