[Servercert-wg] [Ext] Critical Name Constraints (Was: Re:Question on BR 3.2.2.6)

Paul Hoffman paul.hoffman at icann.org
Wed Mar 4 11:28:27 MST 2020


On Mar 4, 2020, at 10:19 AM, Ryan Sleevi <sleevi at google.com> wrote:
>> I am sorry that my post might be miss-reading.
>> 
>> My concern is (something like), “do validator of client-auth cert (like VPN server) need to parse and check every entry of nameConstrain extension, 
>> even if client certificate only use some internal ID for that name?” 
>> 
> RFC 5280 says yes. It must be capable of understanding the semantics expected, if the extension is marked critical. It's the signal "you must understand what I'm trying to convey".

Sorry to repeat myself, but this point is important: that exact signal has been central to PKIX for over 20 years. It is also central to X.509 itself.

> As currently specified in the BRs, we leave every client implementation at risk of security issues, because we're saying "We're going to treat this (via policy) like it's constrained, but who knows if you'll actually support that". If we're going to carve out exceptions, such as audits, for such CAs, then we need to make sure that we're not introducing risk to clients.

And that, too, is the crux of the concern in the PKIX standards. They are very focused on protecting the clients, not the CAs.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3935 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200304/83cebbcc/attachment.p7s>


More information about the Servercert-wg mailing list