Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Descriptions Incubator Q&A Meta
Incubator Q&A
Posts Tags Edits
Create Post

Welcome to the staging ground for new communities! Each proposal has a description in the "Descriptions" category and a body of questions and answers in "Incubator Q&A". You can ask questions (and get answers, we hope!) right away, and start new proposals.

Are you here to participate in a specific proposal? Click on the proposal tag (with the dark outline) to see only posts about that proposal and not all of the others that are in progress. Tags are at the bottom of each post.

Post History

71%
+3 −0
Incubator Q&A What happens to TLS name constraints when the client does not support them?

If both the CA and the client software follow the RFC, the client software will refuse the cert. Section 4.2 (Certificate Extensions) of the RFC you link states ... Each extension in a certific...

posted 9mo ago by Peter Taylor‭

Answer
#1: Initial revision by user avatar Peter Taylor‭ · 2024-03-05T17:28:39Z (9 months ago) 
If both the CA and the client software follow the RFC, the client software will refuse the cert.

Section 4.2 (Certificate Extensions) of the RFC you link states

> ... Each extension in a certificate is designated as either critical or non-critical.  A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.  A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized. ...

And section 4.2.1.10 (Name Constraints) states

> ... Conforming CAs MUST mark this extension as critical ...