RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008

Note: This RFC has been updated by RFC 6818, RFC 8398, RFC 8399, RFC 9549, RFC 9598

Source of RFC: pkix (sec)

Errata ID: 3693
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Florian Weimer
Date Reported: 2013-08-12
Rejected by: Sean Turner
Date Rejected: 2013-08-14

Section says:

   DNS name restrictions are expressed as host.example.com.  Any DNS
   name that can be constructed by simply adding zero or more labels to
   the left-hand side of the name satisfies the name constraint.  For
   example, www.host.example.com would satisfy the constraint but
   host1.example.com would not.

It should say:

[Add this to the paragraph]

   If an implementation extracts DNS names from the subject
   distinguished name, DNS name restrictions MUST be applied
   to these names as well.


When used with TLS and HTTP (according to RFC 2818), section, Name Constraints, is technically a NOP that doesn't constraint the CA that has this attribute because RFC 2818 mandates processing of the common name attribute in the subject distinguished name. Consequentially, the constraint can be bypassed by issuing a certificate without a subject alternative name. The fix is to apply the DNS name restrictions to the relevant parts of the subject distinguished name, too, as implemented here:

The suggested change is not editorial; it represents a significant
technical change. It also does not accurately reflect the intent of the WG.

Report New Errata

Advanced Search