> On Feb 11, 2017, at 4:06 PM, John R. Levine <johnl@xxxxxxxx> wrote: > > How about if a CA with only rfc822Name constraints can't issue certs > with SmtpUTF8Names at all, and of course vice versa. If you want both > kinds of names, the CA has to constrain both. This seems to me to be more restrictive than necessary, but I can live with this as a rough consensus position if others prefer this option. -- Viktor.