[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKIX: DNS name constraint in Cert. Profile (Sept. 23, 1998)

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: PKIX: DNS name constraint in Cert. Profile (Sept. 23, 1998)
From: "Manger, James" <JManger@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Oct 1998 11:17:32 +1000
Sender: owner-ietf-pkix@xxxxxxx

<draft-ietf-pkix-ipki-part1-11.txt>
At a quick glance the latest draft looks good.  The Name Constraints clause
(4.2.1.11) has been tightened up for URIs but the same is needed for DNS
restrictions.  The relevant text is quoted below.  A constraint
"foo.bar.com" should NOT be satisfied by "bigfoo.bar.com", yet this is
constructed "by simply adding to the left hand side" so it does satisfy the
constraint according to the draft.

Either require a leading period in the constraint, e.g. ".foo.bar.com" (c.f.
URI constraint); or replace the "adding to the left" sentence with "Any
sub-domain satisfies the constraint.".  Change "foo1.bar.com" to
"bigfoo.bar.com" as an example that does not satisfy the constraint.

-----
INTERNET DRAFT                                        September 23, 1998

4.2.1.11  Name Constraints

   ...

   DNS name restrictions are expressed as foo.bar.com. Any DNS name that
   can be constructed by simply adding to the left hand side of the name
   satisfies the name constraint. For example, www.foo.bar.com would
   satisfy the constraint but foo1.bar.com would not.

   ...

Housley, Ford, Polk, & Solo                                    [Page 36]

Follow-Ups:
- Re: PKIX: DNS name constraint in Cert. Profile (Sept. 23, 1998)
  - From: Paul Hoffman / IMC

Prev by Date: RE: NEW Data type for certificate selection ?
Next by Date: Summary: NEW Data type for certificate selection ?
Previous by thread: CFP relevant to PKIX
Next by thread: Re: PKIX: DNS name constraint in Cert. Profile (Sept. 23, 1998)
Index(es):
- Date
- Thread