[gnutls-devel] GnuTLS | Name Constraints applied to intermediate CA CN because CA certificate does not have Extended key usage (2.5.29.37) (#776)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Jun 8 09:12:38 CEST 2019
For (1) I am not sure what guidelines you refer to. CAs don't have DNS names or IP addresses and thus name constraints as implemented by gnutls (we implement no DN contraints), do not apply. Thus the comment seems correct.
For (2) again I'm not sure what's the invalid behavior you are pointing out. As above certificates which can act as server certificates (with any purpose, or server purpose) are checked, because these are the only that DNS or IP names make sense.
(3) I'm not sure whether that adds any value. What is the actual problem you are pointing? Are there valid certificate chains that will fail this name constraints check? The CN check is a hack because many certificates set this field instead of the correct (dns_name). If however a server certificate doesn't set the `dns_name` whether we fallback to CN with an invalid name or simply reject it, it seems to me that it does very little difference.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/776#note_179180442
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190608/13f536eb/attachment.html>
More information about the Gnutls-devel
mailing list