Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
m
→Frequently Asked Questions
| Line 59: | Line 59: | ||
# RFC 5280 requires that Name Constraints MUST be marked critical. However, some internet browsers and other relying-party applications do not yet support Name Constraints, so they will reject any certificate that has critical Name Constraints. Mozilla's new policy requires Name Constraints in technically-constrained intermediate certificates that may sign SSL certificates. Do the Name Constraints have to be marked critical? | # RFC 5280 requires that Name Constraints MUST be marked critical. However, some internet browsers and other relying-party applications do not yet support Name Constraints, so they will reject any certificate that has critical Name Constraints. Mozilla's new policy requires Name Constraints in technically-constrained intermediate certificates that may sign SSL certificates. Do the Name Constraints have to be marked critical? | ||
#* As stated in the CA/Browser Forum's Baseline Requirements document: Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide. | #* As stated in the CA/Browser Forum's Baseline Requirements document: Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide. | ||
#* The question about Name Constraints being marked critical was discussed in the [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/UgqTBOdGH6s mozilla.dev.security.policy forum.] The critical bit does not mean 'important'. It means 'Break backwards compatibility'; i.e. if your software doesn't handle Name Constraints, but they are marked as critical, then reject the certificate. This means that certificates that are created with critical Name Constraints will not work in some widely-used browsers and application software. Therefore, we determined that in order to make forward progress in our policy, we would need to allow non-critical Name Constraints until Name Constraints are more broadly supported. We also decided to let this exception be handled in the | #* The question about Name Constraints being marked critical was discussed in the [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/UgqTBOdGH6s mozilla.dev.security.policy forum.] The critical bit does not mean 'important'. It means 'Break backwards compatibility'; i.e. if your software doesn't handle Name Constraints, but they are marked as critical, then reject the certificate. This means that certificates that are created with critical Name Constraints will not work in some widely-used browsers and application software. Therefore, we determined that in order to make forward progress in our policy, we would need to allow non-critical Name Constraints until Name Constraints are more broadly supported. We also decided to let this exception be handled in the CA/Browser Forum's Baseline Requirements document, and not specifically call it out in Mozilla's policy. | ||