[Servercert-wg] Removing the exception to allow non-critical name constraints

Wayne Thayer wthayer at mozilla.com
Wed Oct 16 17:28:00 MST 2019

On Tue, Oct 15, 2019 at 7:12 PM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> On Tue, Oct 15, 2019 at 8:07 PM Wayne Thayer via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>> Thanks Ryan. This is a good idea, but I'd like to hear Apple's thoughts
>> on the timing. El Capitan (the version of macOS prior to Sierra) appears to
>> still have significant usage, even though it's not receiving security
>> updates.
> I'd like to push back a little on the "significant usage", if only because
> it's important for the precedence we have with subjective requirements.
> This is important, especially as we had unfortunately adopted similar
> language here as we did for SHA-1 which substantially delayed migration.
> The BRs only permit CAs to ignore 5280 only until a "substantial portion"
> of Relying Parties worldwide support nameConstraints. We know that 90% of
> macOS users, and presumably 100% of Chrome, Android, Firefox, and Windows
> users make use of this. It's up to CAs to demonstrate substantiality, and
> we haven't really seen much data here.
> That said, it's also important to note that this would only impact the
> creation/usage of technically constrained sub-CAs. We can see that there is
> an extremely limited number of those, as captured and disclosed at
> https://crt.sh/mozilla-disclosures#constrained . Several of those
> certificates are constrained (e.g. to not include TLS) or, more
> substantially, are rather significantly misissued in such a way that
> clients do not actually function with them. So that is very much an
> upper-bound of compatibility concerns. Assuming the use of nameConstraints
> as a means of constraining issuance to a specific customer or enterprise,
> it's much easier to reason about the compatibility concerns there, as it
> will generally be localized to just that organization.
I agree with all of this except for the implication that we should go ahead
without at least asking for more information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191016/bf9ba1b2/attachment.html>

More information about the Servercert-wg mailing list