RFC 5280/6818 - X.509v3 Name Constraints Inconsistency(?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am not sure if this is the right place for this but here goes: What is the reasoning behind name constraints format for type “DNS name” as specified in RFC 5280? In other words why is it different from the URI scheme, where “.example.com” would satisfy *.example.com, *.*example.com BUT not example.com? Currently as it stands, a CA has no way to restrict itself from issuing certificates for example.com while allowing itself to issue for host.example.com. A NC for type DNS “example.com” will allow the CA to issue a certificate for example.com when the desired behavior would be to only allow “.example.com”(in URI scheme).  This could be undesirable. It seems like while the scheme for URIs and email where updated whereas the DNS scheme was left untouched. Wouldn’t it be better if the DNS scheme followed the other 2?

 

The relevant section is 4.2.1.10 in RFC 5280

<<attachment: smime.p7s>>


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]