PKITS test case 4.13.38 vs RFC 3280

["Nelson Bolyard" <misterssl@aol.com>]

PKITS test case 4.13.38 appears to me to contradict RFC 3280, in letter
but perhaps not in spirit.

The PKITS doc says, about this test case (section 4.13.38, pages 82-83):

   In this test, the intermediate certificate includes a nameConstraints 
   extension that specifies a single permitted subtree. The end entity 
   certificate includes a subjectAltName extension with a dNSName that falls 
   outside that subtree. The permitted subtree is “testcertificates.gov” and 
   the subjectAltName is “mytestcertificates.gov”.

   Expected Result: The path should not validate successfully.

But RFC 3280 says, concerning dNSName constraints (section 4.2.1.11, page 38)

   DNS name restrictions are expressed as foo.bar.com.  Any DNS name
   that can be constructed by simply adding to the left hand side of the
   name satisfies the name constraint.  For example, www.foo.bar.com
   would satisfy the constraint but foo1.bar.com would not.

Clearly, mytestcertificates.gov is a name that can be constructed by simply
adding "my" to the left hand side of the name "testcertificates.gov".  
The example shows the addition of a string ending in dot, but the text
does not clearly require it.

Is there any IETF Internet Draft or RFC errata that ammends the above
quoted paragraph from RFC 3280 in this regard?  Perhaps to say something
like "... adding a string ending in a period to the left hand side ..."?

The addition of a requirement of a period seems sensible, but I'm 
inclined to follow the letter of the law, so to speak, with RFC 3280,
barring some official ammendment.

Comments?

Nelson

-- 
12345678901234567890123456789012345678901234567890123456789012345678901234567890