[Servercert-wg] [Ext] Critical Name Constraints (Was: Re:Question on BR 3.2.2.6)
Paul Hoffman
paul.hoffman at icann.org
Tue Mar 3 11:10:47 MST 2020
De-cloaking for a moment.
On Mar 3, 2020, at 5:09 AM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org> wrote:
> Any system that is ignoring nameConstraints has a CRITICAL security vulnerability. The assumptions inherent here are that we allow looser supervision and auditing in exchange for the technical assurance of nameConstraints.
>
> Put differently: If something breaks, *good*, that's the entire point of why RFC 5280 requires nameConstraints; so that insecure systems fail closed.
Ryan is correct here. However, before anyone says "but RFC 5280 is somewhat recent", note that the same requirements (made for the same reasons) were in RFC 2459, which was published over 20 years ago.
--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3935 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200303/033a8e98/attachment.p7s>
More information about the Servercert-wg
mailing list