[Servercert-wg] [Ext] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)

Ryan Sleevi sleevi at google.com
Thu Mar 5 06:47:28 MST 2020


On Thu, Mar 5, 2020 at 3:35 AM Pedro FUENTES via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Hello,
>
> As a reminder, when I raised this point that triggered the discussion I
> said this in regards to the possible impact of setting this extension as
> critical, saying that this should be decided thinking also on other uses
> than TLS certs, so now that it seems agreed that it really has impact on
> all subordinate certificates, maybe a possible solution is to modify BR
> 7.1.2.2…
>
> Where it says…
>
> *f. nameConstraints (optional)*
> *If present, this extension SHOULD be marked critical**
>
>
> It could say (assuming that now EKU is mandatory for new subCAs)…
>
> *f. nameConstraints (optional)*
> *If present:*
> *- if the EKU includes serverAuthentication, this extension MUST be marked
> critical*
> *- if the EKU doesn’t include serverAuthentication, this extension SHOULD
> be marked critical**
>
>
You've unfortunately worded it the opposite :)

If it's serverAuthentication, it SHOULD be marked critical.
Otherwise, it MUST be marked critical.

That's the existing status quo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200305/0eee7f78/attachment-0001.html>


More information about the Servercert-wg mailing list