Welcome to the staging ground for new communities! Each proposal has a description in the "Descriptions" category and a body of questions and answers in "Incubator Q&A". You can ask questions (and get answers, we hope!) right away, and start new proposals.

Post History

71%

+3 −0

Incubator Q&A What happens to TLS name constraints when the client does not support them?

If both the CA and the client software follow the RFC, the client software will refuse the cert. Section 4.2 (Certificate Extensions) of the RFC you link states ... Each extension in a certific...

posted 3mo ago by Peter Taylor‭

Answer

#1: Initial revision by

Peter Taylor‭ · 2024-03-05T17:28:39Z (3 months ago)

Copy Link

Raw

Markdown

If both the CA and the client software follow the RFC, the client software will refuse the cert.

Section 4.2 (Certificate Extensions) of the RFC you link states

> ... Each extension in a certificate is designated as either critical or non-critical.  A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.  A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized. ...

And section 4.2.1.10 (Name Constraints) states

> ... Conforming CAs MUST mark this extension as critical ...

Communities

Post History