[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)
Ryan Sleevi
sleevi at google.com
Wed Mar 4 11:50:38 MST 2020
On Wed, Mar 4, 2020 at 1:36 PM Keshwarsingh Nadan <kn at millenium.net.mu>
wrote:
> The question is about what a Root CA, unambiguously in-scope of the BRs,
> is allowed to sign. Can it sign a "thing" (as I hesitate to call it a
> Certificate) that violates RFC 5280? Is that permitted for any CA in scope?
> Because that's what is being proposed by saying nameConstraints on an
> S/MIME Sub-CA can be non-critical.
>
>
>
> Technically yes, a Root CA can sign a “thing” or “any|thing” and would not
> violate RFC5280 as RFC in itself is not a standard. BRs are built using RFC
> as a building block.
>
... what?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200304/698d86ca/attachment.html>
More information about the Servercert-wg
mailing list