[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)
Kurt Roeckx
kurt at roeckx.be
Wed Mar 4 15:03:19 MST 2020
On Wed, Mar 04, 2020 at 06:36:04PM +0000, Keshwarsingh Nadan via Servercert-wg wrote:
> > The question is about what a Root CA, unambiguously in-scope of the BRs, is allowed to sign. Can it sign a "thing" (as I hesitate to call it a Certificate) that violates RFC 5280? Is that permitted for any CA in scope? Because that's what is being proposed by saying nameConstraints on an S/MIME Sub-CA can be non-critical.
>
> Technically yes, a Root CA can sign a “thing” or “any|thing” and would not violate RFC5280 as RFC in itself is not a standard. BRs are built using RFC as a building block.
RFC5280 is a standard. RFC5280 doesn't really limit the CA for
signing things, it leaves that to the CA to have a policy about
it, and the user to review that policy. But RFC5280 does have
some requirements about things like the format of a certificates.
But we're discussion the BRs here. It places limits on the policy
of the CA, among other things which certicates it can sign. It
clearly can not sign anything it wants.
Kurt
More information about the Servercert-wg
mailing list