I am not sure if this is the right place for this but here goes: What is the
reasoning behind name constraints format for type "DNS name" as specified in
RFC 5280? In other words why is it different from the URI scheme, where
".example.com" would satisfy *.example.com, *.*example.com BUT not
example.com? Currently as it stands, a CA has no way to restrict itself from
issuing certificates for example.com while allowing itself to issue for
host.example.com. A NC for type DNS "example.com" will allow the CA to issue
a certificate for example.com when the desired behavior would be to only
allow ".example.com"(in URI scheme). This could be undesirable. It seems
like while the scheme for URIs and email where updated whereas the DNS
scheme was left untouched. Wouldn't it be better if the DNS scheme followed
the other 2?
The relevant section is 4.2.1.10 in RFC 5280
smime.p7s
Description: S/MIME cryptographic signature