RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008Source of RFC: pkix (sec)
Errata ID: 3693
Publication Format(s) : TEXT
Reported By: Florian Weimer
Date Reported: 2013-08-12
Rejected by: Sean Turner
Date Rejected: 2013-08-14
Section 220.127.116.11 says:
DNS name restrictions are expressed as host.example.com. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, www.host.example.com would satisfy the constraint but host1.example.com would not.
It should say:
[Add this to the paragraph] If an implementation extracts DNS names from the subject distinguished name, DNS name restrictions MUST be applied to these names as well.
When used with TLS and HTTP (according to RFC 2818), section 18.104.22.168, Name Constraints, is technically a NOP that doesn't constraint the CA that has this attribute because RFC 2818 mandates processing of the common name attribute in the subject distinguished name. Consequentially, the constraint can be bypassed by issuing a certificate without a subject alternative name. The fix is to apply the DNS name restrictions to the relevant parts of the subject distinguished name, too, as implemented here:
The suggested change is not editorial; it represents a significant
technical change. It also does not accurately reflect the intent of the WG.