IETF Logo Mail Archive

Re: RFC 5280/6818 - X.509v3 Name Constraints Inconsistency(?)

Russ Housley <housley@vigilsec.com> Thu, 27 March 2014 01:33 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C051A0275 for <ietf@ietfa.amsl.com>; Wed, 26 Mar 2014 18:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.129
X-Spam-Level:
X-Spam-Status: No, score=-101.129 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.77, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2AG75OVNK3A for <ietf@ietfa.amsl.com>; Wed, 26 Mar 2014 18:33:10 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [209.135.209.4]) by ietfa.amsl.com (Postfix) with ESMTP id 542E11A0421 for <ietf@ietf.org>; Wed, 26 Mar 2014 18:33:10 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 730AE9A43CA; Wed, 26 Mar 2014 21:32:59 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id ottSpyqOlSUT; Wed, 26 Mar 2014 21:32:37 -0400 (EDT)
Received: from [10.59.80.125] (unknown [210.229.158.64]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id ED2A89A43B9; Wed, 26 Mar 2014 21:32:36 -0400 (EDT)
Subject: Re: RFC 5280/6818 - X.509v3 Name Constraints Inconsistency(?)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: multipart/alternative; boundary="Apple-Mail-14-964921003"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAPWLtQ2WTBVCrOWZQMmQVdsBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAAAbG6Kd+37ASq4FD3cgSwJfAQAAAAA=@it.auth.gr>
Date: Wed, 26 Mar 2014 21:32:28 -0400
Message-Id: <8FC9AE4A-B80F-4462-BBD4-64A9F794BE24@vigilsec.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAPWLtQ2WTBVCrOWZQMmQVdsBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAAAbG6Kd+37ASq4FD3cgSwJfAQAAAAA=@it.auth.gr>
To: Vyron Tsingaras <vtsingaras@it.auth.gr>
X-Mailer: Apple Mail (2.1085)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/H1JIA-sHLN8mzI1yFtuZe5VU3d0
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 01:33:12 -0000

The pkix mail list is still active.  That is the best place for RFC 5280 questions.

Russ


On Mar 26, 2014, at 4:48 PM, Vyron Tsingaras wrote:

> I am not sure if this is the right place for this but here goes: What is the reasoning behind name constraints format for type “DNS name” as specified in RFC 5280? In other words why is it different from the URI scheme, where “.example.com” would satisfy *.example.com, *.*example.com BUT not example.com? Currently as it stands, a CA has no way to restrict itself from issuing certificates for example.com while allowing itself to issue for host.example.com. A NC for type DNS “example.com” will allow the CA to issue a certificate for example.comwhen the desired behavior would be to only allow “.example.com”(in URI scheme).  This could be undesirable. It seems like while the scheme for URIs and email where updated whereas the DNS scheme was left untouched. Wouldn’t it be better if the DNS scheme followed the other 2?
>  
> The relevant section is 4.2.1.10 in RFC 5280

v2.23.0 | Report a Bug | By Email