[Servercert-wg] Question on BR 3.2.2.6
Clint Wilson
clintw at apple.com
Thu Feb 27 16:32:42 MST 2020
Hi all,
Our interpretation of this is that a Name Constraint dNSName which contains a preceding ‘.’ requires one or more additional labels to match the name constraint, while a Name Constraint dNSName which contains no preceding ‘.’ allows zero or more labels.
For example, if a CA with a name constraint of “.example.com <http://example.com/>” issued a cert for “example.com <http://example.com/>”, valuation would fail, while a cert issued for “www.example.com <http://www.example.com/>” would pass.
If a CA with a name constraint of “example.com <http://example.com/>” issued a cert for “example.com <http://example.com/>”, valuation would pass, alongside a cert issued for “www.example.com <http://www.example.com/>” passing too.
Thanks,
-Clint
> On Feb 27, 2020, at 11:35 AM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org> wrote:
>
>
>
> On Thu, Feb 27, 2020 at 2:18 PM Corey Bonnell via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
> It’s a PKI footgun for sure, but here’s the relevant paragraph from 4.2.1.10 <http://4.2.1.10/>:
>
>
>
> “DNS name restrictions are expressed as host.example.com <http://host.example.com/>. Any DNS
>
> name that can be constructed by simply adding zero or more labels to
>
> the left-hand side of the name satisfies the name constraint. For
>
> example, www.host.example.com <http://www.host.example.com/> would satisfy the constraint but
>
> host1.example.com <http://host1.example.com/> would not.”
>
>
>
> A dNSName permittedSubtree value of “gov.XX” wouldn’t allow “nogov.XX”, as the matching is done by appending zero or labels to the dNSName and not a simple string concatenation. In other words, “gov.XX” and “www.gov.XX” are permitted, but “nogov.XX” is not.
>
>
>
> As for the ACM documentation you provided, I don’t think it’s RFC-compliant given the paragraph above. Here’s an example (long-expired) subCA that contains incorrectly encoded nameConstraints (due to the leading period) and cablint complains: https://crt.sh/?id=2929505&opt=cablint,zlint. <https://crt.sh/?id=2929505&opt=cablint,zlint.> Interestingly, zlint does not flag this error.
>
>
> Thanks for pointing that out, Corey. I filed https://github.com/zmap/zlint/issues/413 <https://github.com/zmap/zlint/issues/413> for this, because as you note, it is malformed.
> <image003.png>_______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
> http://cabforum.org/mailman/listinfo/servercert-wg <http://cabforum.org/mailman/listinfo/servercert-wg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200227/3e2f2753/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200227/3e2f2753/attachment-0001.p7s>
More information about the Servercert-wg
mailing list