On 04/27/2011 06:42 AM, Jean-Marc Desperrier wrote: > Jean-Marc Desperrier wrote: >> Johan Sys wrote: >>> [...] >>> We did some tests with name constraints with positive results: >>> SubCA with name constraint as follows : >>> Permitted >>> [1]Subtrees (0..Max): >>> DNS Name=.goodcompany.globalsign >>> Excluded=None >>> >>> Issued cert www.goodcompany.globalsign passes. Anything else in CN or >>> SAN, including hostname and IP addresses gives the expected >>> ‘The Certifying Authority for this certificate is not permitted to >>> issue a certificate with this name. >>> (Error code: sec_error_cert_not_in_name_space)’ in Firefox. >> >> I'm very surprised actually. I thought bug 479393 / 651246 (use libpkix >> for all certificate validation) was needed for this to work properly. >> >> Will forward this to mozilla.dev.tech.crypto to get some info about how >> it can work. > > But I forgot to do it. Done now. Name constraints have been in the base NSS validator for quite a while (more than a decade). The big hole was that they weren't applied to the CN. This is because it's perfectly valid to have a CN which is not constrained by the domain (CN="Bob's Home Machine" rather than CN=www.bobmachine.org). This problem exists for both pkix and non-pkix cert validation processing. For many years, the expectation was that everyone would move to SAN usage and we would drop CN's as valid providers of the DNS name. It has become clear that if that ever happens, it will be long after I retire;). Bug 394919 deals with this. The final resolution was to Constrain the CN in exactly the case where we would use the CN in validating the hostname. This patch was checked into NSS 3.12.7 and should apply to all users (pkix and non-pkix).
I had to looks up the bug to refresh my history. One interesting historical note is the final solution was based on a suggestion of one Jean-Marc Desperrier;). bob see: https://bugzilla.mozilla.org/show_bug.cgi?id=394919 <https://bugzilla.mozilla.org/show_bug.cgi?id=394919> > >>> IE and Chrome also respect the constraints. We would need todo more >>> tests with other clients. >> >> Well if works with Safari and Opera, it's good to go. And I have >> reasonnable hope (Safari uses AppleX509TP, that has a quite complete >> pkix implementation, the Opera implementation is not bad also).
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
