[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)
Keshwarsingh Nadan
kn at millenium.net.mu
Wed Mar 4 11:36:04 MST 2020
The question is about what a Root CA, unambiguously in-scope of the BRs, is allowed to sign. Can it sign a "thing" (as I hesitate to call it a Certificate) that violates RFC 5280? Is that permitted for any CA in scope? Because that's what is being proposed by saying nameConstraints on an S/MIME Sub-CA can be non-critical.
Technically yes, a Root CA can sign a “thing” or “any|thing” and would not violate RFC5280 as RFC in itself is not a standard. BRs are built using RFC as a building block.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200304/9e2e20d3/attachment-0001.html>
More information about the Servercert-wg
mailing list