Re: PKITS test case 4.13.38 vs RFC 3280

Subject: Re: PKITS test case 4.13.38 vs RFC 3280
From: "Wan-Teh Chang" <wchang0222@aol.com>
Date: Thu, 22 Jan 2004 09:03:57 -0800
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
In-Reply-To: <20040122141457.GA10498@certicom.com>
References: <20040122141457.GA10498@certicom.com>


Sam Roberts wrote on 1/22/2004, 6:23 AM:
> 
> The RFC says: 
> 
>     Any DNS name that can be constructed by simply adding to the left hand 
>     side of the name satisfies the name constraint. 
> 
> I does not go on to define "adding". How does one perform the addition 
> operation with a "DNS name"? Reading this strictly, it is 
> unimplementable without this definition. 
>
[...]
> Defining what "adding to the left hand side of the name" means would be 
> a good think, and describing it as adding domains components, as 
> intended, wouldn't break anything - it would deine something previously 
> left vague.

Theoretically it is possible that some CA may interpret
"adding to the left hand side of the name" the same way
we (the NSS team) did and issue certs to DNS names that
are constructed by adding random substrings to the left
hand side of the name in the name constraint.  A
hypothetical example is:
  name constraint:     ee.stanford.edu
  DNS name:        www-ee.stanford.edu

Defining "adding to the left hand side of the name" as
adding domain components would break a name constraint
used this way.

I think it is unlikely that a CA would specify or use
a name constraint this way though.

Wan-Teh

References:
- Re: PKITS test case 4.13.38 vs RFC 3280
  - From: Sam Roberts <sroberts@certicom.com>

Prev by Date: Re: PKITS test case 4.13.38 vs RFC 3280
Next by Date: nextUpdate
Prev by thread: Re: PKITS test case 4.13.38 vs RFC 3280
Next by thread: Test cases 4.10.7 and 4.10.8

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov