[cabf_validation] nameConstraints on technically constrained sub-CAs
sleevi at google.com
Wed Sep 8 18:09:59 UTC 2021
On Wed, Sep 8, 2021 at 1:56 PM Corey Bonnell <Corey.Bonnell at digicert.com>
> > Mozilla allows this. The BRs don't.
> The language in section 7.1.5 was introduced in Ballot 105  and has
> remained unchanged since the ballot was initially adopted in July 2013.
> This language in 7.1.5 was taken directly from Mozilla Policy 2.1 ,
> which came into effect in February 2013. Despite this clear history of the
> intent and shared understanding of the language, you’re asserting that the
> language actually has a different meaning these past 8 years and that CAs
> must include the NC extension in CA certificates that don’t contain the
> serverAuth EKU?
The language seems unambiguous that it MUST be present if:
- If the Subordinate CA Certificate is not allowed to issue certificates
with an iPAddress, then the Subordinate CA Certificate MUST specify the
entire IPv4 and IPv6 address ranges in excludedSubtrees.
- If the Subordinate CA is not allowed to issue certificates with
dNSNames, then the Subordinate CA Certificate MUST include a zero-length
dNSName in excludedSubtrees.
Further, if you wish to be exempt from audit requirements, then you MUST be
Technically Constrained ("in line with Section 9.7")
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation