[cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.
Steve Roylance
steve.roylance at globalsign.com
Wed Jul 17 15:38:47 MST 2013
Thanks Erwann. I see you clarified for me so as mentioned prior to seeing your reply, I'll amend tomorrow.
Sent from my iPhone
On 17 Jul 2013, at 18:59, Erwann Abalea <erwann.abalea at keynectis.com> wrote:
> The NameConstraints extension can only be included in a CA certificate (its use in an EE certificate has no meaning).
> You're right, the additional certificate word makes the sentence more clear.
>
> --
> Erwann ABALEA
>
> Le 17/07/2013 19:20, kirk_hall at trendmicro.com a écrit :
>> In reading Ballot 105, our technical team has a question about Section 9.7, particularly this paragraph
>>
>> If the Subordinate CA Certificate includes the id-kp-serverAuth extended key usage, then the Subordinate CA MUST include the Name Constraints X.509v3 extension with constraints on dNSName, iPAddress and DirectoryName as follows:-
>>
>> [...]
>>
>> The wording “then the Subordinate CA MUST include the Name Constraints X.509v3 extension” is not clear as to whether the constraints are applied to the sub CA certificate or to an EE certificate the sub CA is going to issue. Should it read “then the Subordinate CA *certificate* MUST include the Name Constraints X.509v3 extension ***” for clarity? Is that the intention?
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130717/2c1ceab4/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4041 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130717/2c1ceab4/attachment-0001.bin
More information about the Public
mailing list