[Servercert-wg] Removing the exception to allow non-critical name constraints

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Oct 17 04:39:51 MST 2019

On 2019-10-16 5:11 π.μ., Ryan Sleevi via Servercert-wg wrote:
> On Tue, Oct 15, 2019 at 8:07 PM Wayne Thayer via Servercert-wg 
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>     Thanks Ryan. This is a good idea, but I'd like to hear Apple's
>     thoughts on the timing. El Capitan (the version of macOS prior to
>     Sierra) appears to still have significant usage, even though it's
>     not receiving security updates.
> I'd like to push back a little on the "significant usage", if only 
> because it's important for the precedence we have with subjective 
> requirements. This is important, especially as we had unfortunately 
> adopted similar language here as we did for SHA-1 which substantially 
> delayed migration. The BRs only permit CAs to ignore 5280 only until a 
> "substantial portion" of Relying Parties worldwide support 
> nameConstraints. We know that 90% of macOS users, and presumably 100% 
> of Chrome, Android, Firefox, and Windows users make use of this. It's 
> up to CAs to demonstrate substantiality, and we haven't really seen 
> much data here.
> That said, it's also important to note that this would only impact the 
> creation/usage of technically constrained sub-CAs. We can see that 
> there is an extremely limited number of those, as captured and 
> disclosed at https://crt.sh/mozilla-disclosures#constrained . Several 
> of those certificates are constrained (e.g. to not include TLS) or, 
> more substantially, are rather significantly misissued in such a way 
> that clients do not actually function with them. So that is very much 
> an upper-bound of compatibility concerns. Assuming the use of 
> nameConstraints as a means of constraining issuance to a specific 
> customer or enterprise, it's much easier to reason about the 
> compatibility concerns there, as it will generally be localized to 
> just that organization.


I think you should also consider 
https://crt.sh/mozilla-disclosures#disclosedbutconstrained which is a 
significantly larger set.

We should be careful with this change because it could impact legacy 
systems that don't support name constraints and would break 
compatibility. This is one of those things that will definitely break 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191017/0f421edd/attachment.html>

More information about the Servercert-wg mailing list