[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)
Ryan Sleevi
sleevi at google.com
Wed Mar 4 11:15:36 MST 2020
On Wed, Mar 4, 2020 at 1:10 PM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:
> Much of your reply focuses on the issuance of end-entities from a
> subordinate CA you've declared out of scope. That's not the distinction
> being made. It's about what the root can sign - that is, the permissible
> subordinate CAs and the expectations.
>
>
> They are not just "declared" out of scope, they are technically incapable
> of issuing TLS Certificates. This is not based on "intent" as we have seen
> previously being discussed.
>
Right. But that's not what this conversation is about. I'm not making any
statements about what technically-constrained sub-CAs are permitted to
issue. You're raising a separate conversation, and I'm trying to highlight
it's different :)
The question is about what a Root CA, unambiguously in-scope of the BRs, is
allowed to sign. Can it sign a "thing" (as I hesitate to call it a
Certificate) that violates RFC 5280? Is that permitted for any CA in scope?
Because that's what is being proposed by saying nameConstraints on an
S/MIME Sub-CA can be non-critical.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200304/50084d52/attachment.html>
More information about the Servercert-wg
mailing list