[Servercert-wg] Question on BR 3.2.2.6

Ryan Sleevi sleevi at google.com
Thu Feb 27 12:35:28 MST 2020


On Thu, Feb 27, 2020 at 2:18 PM Corey Bonnell via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> It’s a PKI footgun for sure, but here’s the relevant paragraph from
> 4.2.1.10:
>
>
>
> “DNS name restrictions are expressed as host.example.com.  Any DNS
>
>    name that can be constructed by simply adding zero or more labels to
>
>    the left-hand side of the name satisfies the name constraint.  For
>
>    example, www.host.example.com would satisfy the constraint but
>
>    host1.example.com would not.”
>
>
>
> A dNSName permittedSubtree value of “gov.XX” wouldn’t allow “nogov.XX”, as
> the matching is done by appending zero or labels to the dNSName and not a
> simple string concatenation. In other words, “gov.XX” and “www.gov.XX” are
> permitted, but “nogov.XX” is not.
>
>
>
> As for the ACM documentation you provided, I don’t think it’s
> RFC-compliant given the paragraph above. Here’s an example (long-expired)
> subCA that contains incorrectly encoded nameConstraints (due to the leading
> period) and cablint complains:
> https://crt.sh/?id=2929505&opt=cablint,zlint. Interestingly, zlint does
> not flag this error.
>

Thanks for pointing that out, Corey. I filed
https://github.com/zmap/zlint/issues/413 for this, because as you note, it
is malformed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200227/70b4ca35/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 10027 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200227/70b4ca35/attachment.png>


More information about the Servercert-wg mailing list