<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p style="color: #777777;">
<a href="https://gitlab.com/nmav">Nikos Mavrogiannopoulos</a>
commented:
</p>
<div style="">
<p dir="auto">After some thought, I am not sure we should fix this. The reason is that we apply name constrains on CN only for certificates marked as WWW server that have no DNSname field. That we assume that a web server certificate which has no DNSname, it must have a DNS name in the CN field. I find that a reasonable assumption and a work-around is easy; don't mark the end certificate as a WWW server one. As such, I do not think we should consider a fix without a more concrete issue presented.</p>
<p dir="auto">Note that a similar issue was reported to NSS, but that was an issue because NSS applied the constrains to CN for all end-entity certificates, not only the web server ones.
<a href="https://frasertweedale.github.io/blog-redhat/posts/2019-01-29-name-constraints.html" rel="nofollow noreferrer noopener" target="_blank">https://frasertweedale.github.io/blog-redhat/posts/2019-01-29-name-constraints.html</a></p>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/776#note_254826143">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/d1ecd3eb91b57d93a72955092c05278f/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/776#note_254826143"}}</script>
</p>
</div>
</body>
</html>