[cabf_validation] SRV - Other Names Ballot

Ben Wilson ben.wilson at digicert.com
Fri May 19 13:35:24 MST 2017

Following up on our WG discussion earlier this week, and to keep this
discussion going, here is what was proposed a while ago by Jeremy as a valid
SAN entry.

Amending BR Section -

 otherName with SRVName { } type-id

The subjectAltName MAY include one or more SRVNames (as defined in RFC4986)
as an otherName entry with the SRVName type-id. The CA MUST verify the name
portion of the entry in accordance with Section SRVName entries
MUST NOT contain Wildcard Domain Names. If a Technically Constrained
Subordinate CA Certificate includes a dNSName constraint but does not have a
technical constraint for SRVNames, the CA MUST NOT issue certificates
containing SRVNames from the Technically Constrained Subordinate CA
Certificate. A Technically Constrained Subordinate CA Certificate that
includes a technical constraint for SRVNames MUST include permitted name
subtrees and MAY include excluded name subtrees.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170519/eb06321f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170519/eb06321f/attachment.bin>

More information about the Validation mailing list