[cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.
Erwann Abalea
erwann.abalea at keynectis.com
Wed Jul 17 17:59:29 UTC 2013
The NameConstraints extension can only be included in a CA certificate
(its use in an EE certificate has no meaning).
You're right, the additional *certificate* word makes the sentence more
clear.
--
Erwann ABALEA
Le 17/07/2013 19:20, kirk_hall at trendmicro.com a écrit :
>
> In reading Ballot 105, our technical team has a question about Section
> 9.7, particularly this paragraph
>
> If the Subordinate CA Certificate includes the id-kp-serverAuth
> extended key usage_, then the Subordinate CA MUST include the Name
> Constraints X.509v3 extension with constraints on dNSName, iPAddress
> and DirectoryName_ as follows:-
>
> [...]
>
> The wording "then the Subordinate CA MUST include the Name Constraints
> X.509v3 extension" is not clear as to whether the constraints are
> applied to the sub CA certificate or to an EE certificate the sub CA
> is going to issue. Should it read "then the Subordinate CA
> **/_certificate_/** MUST include the Name Constraints X.509v3
> extension ***" for clarity? Is that the intention?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130717/e8c31a89/attachment-0003.html>
More information about the Public
mailing list