The pkix mail list is still active. That is the best place for RFC 5280
questions.
Russ
On Mar 26, 2014, at 4:48 PM, Vyron Tsingaras wrote:
I am not sure if this is the right place for this but here goes: What is the
reasoning behind name constraints format for type “DNS name” as specified in
RFC 5280? In other words why is it different from the URI scheme, where
“.example.com” would satisfy *.example.com, *.*example.com BUT not
example.com? Currently as it stands, a CA has no way to restrict itself from
issuing certificates for example.com while allowing itself to issue for
host.example.com. A NC for type DNS “example.com” will allow the CA to issue
a certificate for example.comwhen the desired behavior would be to only allow
“.example.com”(in URI scheme). This could be undesirable. It seems like
while the scheme for URIs and email where updated whereas the DNS scheme was
left untouched. Wouldn’t it be better if the DNS scheme followed the other 2?
The relevant section is 4.2.1.10 in RFC 5280