[Servercert-wg] Removing the exception to allow non-critical name constraints

Ryan Sleevi sleevi at google.com
Tue Oct 15 19:11:52 MST 2019

On Tue, Oct 15, 2019 at 8:07 PM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Thanks Ryan. This is a good idea, but I'd like to hear Apple's thoughts on
> the timing. El Capitan (the version of macOS prior to Sierra) appears to
> still have significant usage, even though it's not receiving security
> updates.

I'd like to push back a little on the "significant usage", if only because
it's important for the precedence we have with subjective requirements.
This is important, especially as we had unfortunately adopted similar
language here as we did for SHA-1 which substantially delayed migration.
The BRs only permit CAs to ignore 5280 only until a "substantial portion"
of Relying Parties worldwide support nameConstraints. We know that 90% of
macOS users, and presumably 100% of Chrome, Android, Firefox, and Windows
users make use of this. It's up to CAs to demonstrate substantiality, and
we haven't really seen much data here.

That said, it's also important to note that this would only impact the
creation/usage of technically constrained sub-CAs. We can see that there is
an extremely limited number of those, as captured and disclosed at
https://crt.sh/mozilla-disclosures#constrained . Several of those
certificates are constrained (e.g. to not include TLS) or, more
substantially, are rather significantly misissued in such a way that
clients do not actually function with them. So that is very much an
upper-bound of compatibility concerns. Assuming the use of nameConstraints
as a means of constraining issuance to a specific customer or enterprise,
it's much easier to reason about the compatibility concerns there, as it
will generally be localized to just that organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191015/318a3ab4/attachment.html>

More information about the Servercert-wg mailing list