Recently I blogged about how Windows XP processes Name Constraints a little different than the RFC specifies — with the help of a friend I have a good set of examples of what would work and what would not work that illustrate what it does.
Assuming our Subject was:
C = US;S = Washington;L = Kirkland;O = GlobalSign;CN = globalsign.com
And that our Constraint was:
Permitted
[1]Subtrees (0..Max):
DNS Name=globalsign.com
We would see different results when validating a certificate on XP than we would on a later version of Windows.
Notice we did not include any directoryName attributes? That is supposed to mean that there is no constraints on the directoryName. On Windows XP however if you include a directory name in the subject there MUST be at least one Directory Name attribute in the RDN to match against otherwise it will not pass its Name Constraints check.
So if we instead made our constraint:
Permitted
[1]Subtrees (0..Max):
RFC822 Name=globalsign.com
[3]Subtrees (0..Max):
Directory Address:
C = US
S = Washington
L = Kirkland
O = Globalsign
Excluded=None
A certificate with the following subject would match:
- An empty DN, no RDNs
- C = US
- C = US;S = Washington
- C = US;S = Washington;L = Kirkland
- C = US;S = Washington;L = Kirkland;O = Globalsign
- C = US;S = Washington;L = Kirkland;O = Globalsign;CN = globalsign.com
- C = US;S =””;L = Kirkland;O =””;CN = globalsign.com
When XP processes the RDNs it starts with the first and progresses from there. You can’t skip an RDN. If an RDN is present it must match the entire RDN value or be empty.
As such the following wouldn’t match in our example:
- S = Washington (Skipped the first RDN)
- C = US;L = Kirkland (Skipped the second RDN)
- C = US;S = Washington;L = Kirkland;O = Globalsign Development Center (partial “O” value).
The prior blog post on this topic I described before talks about how an enterprise can work around this behavior (by setting some registry keys) but a public certificate issuer can too, for example by inserting just one RDN value and ensuring the subordinate CA issues with that RDN value in its certificates.
This way a site can have the flexibility it wants to change its directory structure without re-issuing the certificate containing the Name Constraints.
Ryan