[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)

[Keshwarsingh Nadan]

On Wed, Mar 04, 2020 at 06:36:04PM +0000, Keshwarsingh Nadan via Servercert-wg wrote:
> > The question is about what a Root CA, unambiguously in-scope of the BRs, is allowed to sign. Can it sign a "thing" (as I hesitate to call it a Certificate) that violates RFC 5280? Is that permitted for any CA in scope? Because that's what is being proposed by saying nameConstraints on an S/MIME Sub-CA can be non-critical.
> 
> Technically yes, a Root CA can sign a “thing” or “any|thing” and would not violate RFC5280 as RFC in itself is not a standard. BRs are built using RFC as a building block.
>
>RFC5280 is a standard. RFC5280 doesn't really limit the CA for signing things, it leaves that to the CA to have a policy about it, and the user to review that policy. But RFC5280 does have some >requirements about things like the format of a certificates.

The question about " Can it sign a "thing" (as I hesitate to call it a Certificate) that violates RFC 5280?" was clear and unambiguous, and I believe I provided a fair and reasonable input. I refer you to (i) RFC 1796 (ii) Section 2 of RFC 7841 and (iii) RFC 7100

RFCs do not lay down or enforce any requirements; those are merely recommendations on a "to adopt," and "to enhance" basis. 

>But we're discussion the BRs here. It places limits on the policy of the CA, among other things which certicates it can sign. It clearly can not sign anything it wants.

Correct, not to confuse between BRs enforceability and RFCs.