<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-beck-lamps-leafy-greens-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EENR">Leafy Greens - End Entity Name Restrictions</title>
    <seriesInfo name="Internet-Draft" value="draft-beck-lamps-leafy-greens-00"/>
    <author initials="B." surname="Beck" fullname="Bob Beck">
      <organization>OpenSSL</organization>
      <address>
        <email>beck@obtuse.com</email>
      </address>
    </author>
    <author initials="M." surname="Ounsworth" fullname="Mike Ounsworth">
      <organization>Cryptic Forest Software</organization>
      <address>
        <email>mike@ounsworth.ca</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Security</area>
    <workgroup>LAMPS</workgroup>
    <keyword>TLS PKIX X.509 name constraints</keyword>
    <abstract>
      <?line 53?>

<t>The interaction of name constraint matching in <xref target="RFC5280"/> and
wildcard subject alternative names creates a gap in which an
excluded name constraint cannot be relied upon to prevent the
issuance of certificates usable for the excluded name. This
document defines End Entity Name Restrictions (EENR), a new
critical X.509 extension for CA certificates that constrains the
<tt>dNSName</tt> Subject Alternative Name entries which may appear in
end entity certificates issued beneath the CA. EENR specifies its
own matching semantics, including for wildcard <tt>dNSName</tt> entries,
so that it does not depend on application-defined interpretations.
The extension is scoped to use in certificate path validation for
TLS client and TLS server authentication.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://bob-beck.github.io/ratatouille-leafy-greens/draft-beck-lamps-leafy-greens.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-beck-lamps-leafy-greens/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        LAMPS Working Group mailing list (<eref target="mailto:beck@openssl.org"/>),
        which is archived at <eref target="https://example.com/WG"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/bob-beck/ratatouille-leafy-greens"/>.</t>
    </note>
  </front>
  <middle>
    <?line 70?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>X.509 name constraints, defined in <xref target="RFC5280"/> section 4.2.1.10,
allow a CA certificate to restrict the names that may appear in
any certificate beneath it in a certification path. Enforcement
is performed during certification-path validation, per <xref target="RFC5280"/>
sections 6.1.3 and 6.1.4.</t>
      <t>For <tt>dNSName</tt> <tt>SubjectAlternativeName</tt> entries, <xref target="RFC5280"/>'s matching algorithm is purely
lexical: <em>"Any DNS name that can be constructed by simply adding
zero or more labels to the left-hand side of the name satisfies
the name constraint."</em> Read literally, this treats <tt>*</tt> as an
ordinary label and makes <tt>*.example.com</tt> satisfy a constraint of
<tt>example.com</tt> exactly as <tt>host.example.com</tt> does. <xref target="RFC5280"/>
section 4.2.1.6 separately leaves the semantics of wildcards in
subject alternative names undefined, requiring any application
that uses them to define the semantics itself. <xref target="RFC9525"/> supplies
wildcard semantics for one application context, matching presented
identifiers against reference identifiers in TLS, but its
section 1.2 explicitly defers name constraints back to <xref target="RFC5280"/>,
creating a situation where neither specification defines its
semantics.</t>
      <t>Name constraints can be used as either inclusionary or exclusionary.
For example, consider a CA certificate with an excluded constraint
of <tt>foo.example.com</tt>, signing an end entity certificate with a SAN
of <tt>*.example.com</tt>. The apparent intent of the constraint is to
prevent that CA from issuing certificates usable as
<tt>foo.example.com</tt>. The SAN does not fall within the excluded
subtree under <xref target="RFC5280"/>'s matching, and the certificate passes
name-constraint validation. The resulting end entity certificate
can then be presented to TLS clients as the server identity for
<tt>foo.example.com</tt>: <xref target="RFC9525"/> section 6.3 defines <tt>*.example.com</tt>
as a valid presented identifier matching the reference identifier
<tt>foo.example.com</tt>. The constraint does what <xref target="RFC5280"/> prescribes:
it rejects a literal SAN of <tt>foo.example.com</tt>. It does not,
however, prevent the CA from issuing certificates that can be
used as <tt>foo.example.com</tt>.</t>
      <t>A future specification that defines wildcard semantics for name
constraint matching cannot remedy this for the general case.
Implementations conforming to <xref target="RFC5280"/> as written today would
remain conformant when applying the literal algorithm indefinitely,
and any verifier predating such a clarification would continue to
do so. Unless the CA can constrain its certificates to verifiers
known to apply specific semantics, it cannot ensure that the
verifiers eventually consuming them share any single interpretation.
Criticality does not remedy this: <xref target="RFC5280"/> deferred the wildcard
portion of <tt>nameConstraints</tt> semantics, so the meaning of this
critical extension can change without changing <xref target="RFC5280"/>, and a
verifier processing it conformantly may be applying semantics no
longer current.</t>
      <t>A PKI that depends on <tt>excludedSubtrees</tt> for security therefore
cannot rely on those exclusions being enforced consistently across
the verifiers that will see its certificates. This document
defines End Entity Name Restrictions (EENR), a new critical
extension for CA certificates that constrains the <tt>dNSName</tt>
Subject Alternative Names which may appear in end entity
certificates issued beneath the CA. EENR is scoped exclusively to
TLS client and TLS server authentication; this document does not
address the analogous ambiguity for other application protocols
that use X.509 certificates with <tt>dNSName</tt> SANs. Confining the
extension to TLS allows its matching semantics to be specified
completely within this document.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="the-end-entity-name-restrictions-extension">
      <name>The End Entity Name Restrictions Extension</name>
      <section anchor="syntax">
        <name>Syntax</name>
        <t>The End Entity Name Restrictions extension is identified by the
following object identifier:</t>
        <t>id-pe-eenr OBJECT IDENTIFIER ::= { TBD }</t>
        <t>The extension <bcp14>SHALL</bcp14> be encoded as follows:</t>
        <t>EndEntityNameRestrictions ::= SEQUENCE {
       permittedSubtrees       [0]     GeneralSubtrees <bcp14>OPTIONAL</bcp14>,
       excludedSubtrees        [1]     GeneralSubtrees <bcp14>OPTIONAL</bcp14> }</t>
        <t>The <tt>GeneralSubtrees</tt>, <tt>GeneralSubtree</tt>, and <tt>BaseDistance</tt> types
are defined in <xref target="RFC5280"/> section 4.2.1.10 and are reused here
without modification.</t>
        <t>The <tt>base</tt> field of each <tt>GeneralSubtree</tt> <bcp14>MUST</bcp14> be of type
<tt>dNSName</tt>; the use of any other general-name type renders the
extension malformed. The <tt>minimum</tt> field of each <tt>GeneralSubtree</tt>
          <bcp14>MUST</bcp14> be 0 and the <tt>maximum</tt> field <bcp14>MUST</bcp14> be absent, matching the
constraint that <xref target="RFC5280"/> places on use of <tt>GeneralSubtree</tt> in
the <tt>nameConstraints</tt> extension.</t>
        <t>The IANA registration request for <tt>id-pe-eenr</tt> appears in
<xref target="iana-considerations"/>.</t>
      </section>
      <section anchor="use-in-ca-certificates">
        <name>Use in CA Certificates</name>
        <t>The End Entity Name Restrictions extension <bcp14>MUST</bcp14> be used only in a
CA certificate; it is an error to include it in a certificate
with <tt>basicConstraints.cA=FALSE</tt>.
Conforming CAs <bcp14>MUST</bcp14> mark the extension as critical.</t>
        <t>Both <tt>permittedSubtrees</tt> and <tt>excludedSubtrees</tt> are <bcp14>OPTIONAL</bcp14>. If
both are absent, the extension is present but conveys no
name-space restriction; the restrictions on end entity
certificates defined in <xref target="restrictions-on-end-entity-certificates"/>
still apply by virtue of the extension's presence anywhere in the
certification path. If <tt>permittedSubtrees</tt> is provided, it <bcp14>MUST</bcp14>
contain at least one entry; if <tt>excludedSubtrees</tt> is provided, it
<bcp14>MUST</bcp14> contain at least one entry.</t>
        <t>The <tt>dNSName</tt> value carried in the <tt>base</tt> field of each
<tt>GeneralSubtree</tt> <bcp14>MUST NOT</bcp14> contain the DNS wildcard character <tt>*</tt>.</t>
      </section>
      <section anchor="propagation-through-ca-certificates">
        <name>Propagation Through CA Certificates</name>
        <t>This extension is designed so that delegation can only narrow,
never widen, the names a CA may authorize in subsequent end
entity certificates. The propagation rules below require every CA
certificate beneath an EENR-bearing CA to carry the cumulative
restriction set in its own extension.</t>
        <t>If a CA certificate contains the End Entity Name Restrictions
extension, every CA certificate that it issues, directly or
transitively, <bcp14>MUST</bcp14> also contain the extension.</t>
        <t>Where the issuer's extension contains <tt>permittedSubtrees</tt>, the
issued CA's extension <bcp14>MUST</bcp14> also contain <tt>permittedSubtrees</tt>. The
issued CA's list <bcp14>MUST</bcp14> be equal to or a subset of the issuer's
list; that is, every entry <bcp14>MUST</bcp14> be contained, per <xref target="RFC5280"/>
section 4.2.1.10, in some entry of the issuer's list. Entries <bcp14>MAY</bcp14>
be omitted to narrow the permitted name space.</t>
        <t>Where the issuer's extension contains <tt>excludedSubtrees</tt>, the
issued CA's extension <bcp14>MUST</bcp14> also contain <tt>excludedSubtrees</tt>. The
issued CA's list <bcp14>MUST</bcp14> be equal to or a superset of the issuer's
list; that is, every entry of the issuer's list <bcp14>MUST</bcp14> be contained,
per <xref target="RFC5280"/> section 4.2.1.10, in some entry of the issued CA's
list. Additional entries <bcp14>MAY</bcp14> be added to broaden the excluded
name space.</t>
        <t>A verifier <bcp14>MUST</bcp14> reject any certification path whose CA certificates
do not satisfy these propagation rules.</t>
      </section>
      <section anchor="relationship-to-rfc-5280-name-constraints">
        <name>Relationship to RFC 5280 Name Constraints</name>
        <t>The matching semantics defined by this document for <tt>dNSName</tt>
entries differ from those of <xref target="RFC5280"/> section 4.2.1.10, and a
certification path that combines both would be subject to the
matching ambiguity this extension is designed to eliminate. To
avoid that, in any certification path containing the End Entity
Name Restrictions extension, a CA certificate in that path <bcp14>MUST
NOT</bcp14> include a <tt>nameConstraints</tt> extension whose <tt>permittedSubtrees</tt>
or <tt>excludedSubtrees</tt> contains a <tt>dNSName</tt> form. A verifier <bcp14>MUST</bcp14>
reject any certification path that violates this restriction.</t>
      </section>
      <section anchor="restrictions-on-end-entity-certificates">
        <name>Restrictions on End Entity Certificates</name>
        <t>When the End Entity Name Restrictions extension is present in any
CA certificate in a certification path, every end entity certificate
in that path <bcp14>MUST</bcp14> satisfy each of the following restrictions:</t>
        <ul spacing="normal">
          <li>
            <t>The subject distinguished name <bcp14>MUST NOT</bcp14> contain a <tt>commonName</tt>
(CN) attribute.</t>
          </li>
          <li>
            <t>The extended key usage extension <bcp14>MUST</bcp14> be present and <bcp14>MUST</bcp14>
contain exactly one of the following key purpose identifiers,
and no other:  </t>
            <ul spacing="normal">
              <li>
                <t><tt>id-kp-serverAuth</tt> (1.3.6.1.5.5.7.3.1) for TLS server
authentication, or</t>
              </li>
              <li>
                <t><tt>id-kp-clientAuth</tt> (1.3.6.1.5.5.7.3.2) for TLS client
authentication.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The subject alternative name extension <bcp14>MUST</bcp14> be present and <bcp14>MUST</bcp14>
contain at least one <tt>dNSName</tt> entry. The number of <tt>dNSName</tt>
entries <bcp14>SHOULD NOT</bcp14> exceed 16; conforming applications <bcp14>MAY</bcp14> reject
certificates with more to prevent denial-of-service.</t>
          </li>
          <li>
            <t>Each <tt>dNSName</tt> entry in the subject alternative name extension
<bcp14>MUST</bcp14> conform to <xref target="RFC9525"/> section 6.3.</t>
          </li>
        </ul>
        <t>A verifier <bcp14>MUST</bcp14> reject any certification path containing an end
entity certificate that fails any of these restrictions.</t>
      </section>
      <section anchor="matching-semantics">
        <name>Matching Semantics</name>
        <t>The End Entity Name Restrictions extension that applies to a given
end entity certificate is the one carried by its immediate issuer.
Because of the propagation rules in
<xref target="propagation-through-ca-certificates"/>, that extension expresses
the complete cumulative set of restrictions from the entire path
above; no walking of the certification path is required.</t>
        <t>For each <tt>dNSName</tt> entry present in the end entity certificate's
subject alternative name extension, the verifier <bcp14>MUST</bcp14> evaluate the
restrictions in the immediate issuer's extension as follows:</t>
        <ul spacing="normal">
          <li>
            <t>If <tt>permittedSubtrees</tt> is present, the <tt>dNSName</tt> entry <bcp14>MUST</bcp14>
match at least one of those permitted subtree base values.</t>
          </li>
          <li>
            <t>For every entry in <tt>excludedSubtrees</tt>, the <tt>dNSName</tt> entry <bcp14>MUST
NOT</bcp14> match that excluded subtree base value.</t>
          </li>
        </ul>
        <t>An excluded subtree base value (which contains no wildcard) is treated
as the reference identifier, and the end entity certificate's
<tt>dNSName</tt> entry (which is allowed to contain a wildcard in its leftmost label)
as the presented identifier, with the wildcard semantics as per
<xref target="RFC9525"/> section 6.3.</t>
        <t>A permitted subtree base value (which contains no wildcard) is treated
as the reference identifier, and the end entity certificate's
<tt>dNSName</tt> entry (which is allowed to contain a wildcard in its leftmost label)
as the presented identifier, as per <xref target="RFC9525"/> section 6.3, excluding
the wildcard semantics, meaning the wildcard label has no special meaning
other than as a literal label.</t>
        <t>A verifier <bcp14>MUST</bcp14> reject any certification path for which a
<tt>dNSName</tt> entry fails this evaluation.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The End Entity Name Restrictions extension is a critical X.509
extension. A verifier processing a certification path containing
the extension either implements the matching semantics defined
here exactly or rejects the path; no third option exists in which
the extension is silently misinterpreted. This is what allows a
CA to rely on it as a security control restricting the <tt>dNSName</tt>
Subject Alternative Names in end entity certificates issued
beneath it, for purposes of TLS client and TLS server
authentication.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document defines one new object identifier for the End Entity
Name Restrictions extension. IANA is requested to assign a value
from the "SMI Security for PKIX Certificate Extension" registry
(1.3.6.1.5.5.7.1) for the OID label <tt>id-pe-eenr</tt>. The assigned
value is to be substituted for the placeholder in <xref target="syntax"/>.</t>
      <table>
        <thead>
          <tr>
            <th align="right">Decimal</th>
            <th align="left">Description</th>
            <th align="left">References</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="right">TBD</td>
            <td align="left">id-pe-eenr</td>
            <td align="left">this document</td>
          </tr>
        </tbody>
      </table>
      <t>The reference in the table is to be replaced with the published
RFC number upon publication.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="OPENSSL-NC" target="https://docs.openssl.org/master/man3/NAME_CONSTRAINTS_check/#bugs">
          <front>
            <title>OpenSSL Name Constraints documentation</title>
            <author>
              <organization>OpenSSL</organization>
            </author>
            <date year="2026" month="June" day="10"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 343?>

<section anchor="alternatives-considered">
      <name>Alternatives Considered</name>
      <section anchor="amending-rfc-5280-or-rfc-9525-to-define-wildcard-semantics">
        <name>Amending RFC 5280 or RFC 9525 to define wildcard semantics</name>
        <t>The wildcard ambiguity could in principle be addressed by an
update to <xref target="RFC5280"/> section 4.2.1.10's matching algorithm, or
by an update to <xref target="RFC9525"/> to extend its wildcard semantics to
name constraint matching (which <xref target="RFC9525"/> section 1.2 currently
defers to <xref target="RFC5280"/>).</t>
        <t>Either approach fails to give a CA reliable control over how its
certificates will be evaluated. A verifier conforming to the
specification as written today is not made non-conformant by any
future update; a CA issuing a certificate cannot ensure that the
verifiers consuming it have adopted the updated semantics, and
would have no way to detect a verifier still applying the
original algorithm.</t>
      </section>
      <section anchor="amending-rfc-5280-with-a-critical-marker-extension">
        <name>Amending RFC 5280 with a critical marker extension</name>
        <t>The wildcard matching semantics defined in this draft could
instead be defined in an update to <xref target="RFC5280"/> section 4.2.1.10,
paired with a new critical extension that a CA places in its
certificates to require those updated semantics. A verifier that
has not adopted the update does not recognize the marker and
rejects the certificate as critical-and-unknown; a verifier that
has adopted it applies the new matching to the existing
<tt>nameConstraints</tt> extension. This gives the same enforcement
guarantee as EENR without introducing a parallel constraint
extension, at the cost of an <xref target="RFC5280"/> revision. This approach
could not deliver the end-entity hygiene improvements described
in <xref target="restrictions-on-end-entity-certificates"/>. It also commits
<xref target="RFC5280"/> to a single wildcard matching algorithm across every
protocol that uses <tt>dNSName</tt> name constraints, on the assumption
that <xref target="RFC9525"/>'s semantics are appropriate for all of them.</t>
      </section>
      <section anchor="prohibiting-wildcards-in-chains-with-excluded-dnsname-constraints">
        <name>Prohibiting wildcards in chains with excluded dNSName constraints</name>
        <t>The security failure caused by the matching ambiguity arises only
when both wildcard <tt>dNSName</tt> SAN entries and <tt>dNSName</tt>
          <tt>excludedSubtrees</tt> are present in the same certification path:
literal <xref target="RFC5280"/> matching can accept a wildcard SAN whose TLS
expansion covers a name the excluded subtree was intended to
prevent. An <xref target="RFC5280"/> amendment could prohibit this combination.</t>
        <t>Such an amendment suffers the same deployment problem as defining
new semantics: a verifier that has not adopted it will not enforce
the prohibition. Certificates issued under the old understanding
remain vulnerable in proportion to the verifier population that
has not been updated.</t>
      </section>
      <section anchor="just-dont-fix-it">
        <name>Just don't fix it</name>
        <t>Acknowledge the possibility that with the default <xref target="RFC5280"/> matching
semantics, wildcards will not match names in an excluded subtree name
constraint that could in turn match the wildcard and be accepted for a
TLS connection.  Document that excluded name constraints should not be
relied on to limit what a CA can sign for in any PKI where wildcards
are not excluded from use by some other means. This is currently the
approach being taken in <xref target="OPENSSL-NC"/>.</t>
        <t>The limitation of this is that certificates used for TLS in the
presence of wildcards may only be constrained reliably by using only
permitted subtree entries.</t>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAITtR2oAA91bbXfbxpX+Pr9ilv6Q2IekLSdxE7ppS0tyqtaWvJZ80p5u
TzkEhiQqEODiRTLj+L/sb9lfts+9dwYYEJBifV33NCJBYObOfX3uCyaTiaqS
KrUzPXpjzWqvfyqszUo90adZjP/jx70+N1ur39uyKpKoSvKsHCmzXBb2Bk+d
np6/H6nIVHadF/uZLqtYxXmU4ZGZjguzqiZLG11PUrPdlZOU9piseY/Js2eq
rJfbpCyxZrXf4YGz06vXWj/SJi1zLJ5ksd1Z/CerRmM9snFS5UViUvpyNn+F
P3mBT++vXo9UVm+XtpipGKTMVAQqsUddznRV1FaB1G+UKayZ6Usb1QWOpW7z
4npd5PVupt/M3767VNd2j2vxTGl99eYS/33317O/4c/fpt89+wF/6VCaVq4K
k2RVqW5sVlu6vbOM1nKYn7F+kq3BUvyIq1uTpDNN3PhTjlOVZTrNizV+MEW0
melNVe3K2dOn9iNYldpplG+f/vwTLZ5Um3oJdizzJTPzaWEqU+V1kqa2w9IR
7k5x/rLC3X49/9RU1pkm+Z3PP71XYNNNtU1HSpm62uTg9AS7aZ1k4PHolX6F
h0Z8RWQ/epUvg4s4qcmSXwzpz0xf4PyXl2/4Fyt8GQljllVd8tlHnfXfTvVF
nZUQT7Xp7PI2ubaHP3X3Oi72uyqJ9Ou8AGP0Zb6qbqEJnb23WOVPuV9lGhkc
M8uLLZa4YQG/f3383fPvn7mPP3z3/LuZUkm2Cu+5eHd6jkNNzo9nvLgzLHdW
saLjVns0zKTeQrWZTnnCFGtbtaqAO8ppoCtPt6asbIE/2TdPz+dvT/91fHF+
efV+fnZ+dfmvaEO68WhZr0tejS1BP3/2/MXk2YvJ0TO+6IWn+d+EeNWKQ6np
dKrUZDLRZkl0RhWuqauNhRiwsWHz1/nq0BSg21W0IWVPMv3pk+PW58/aZLG6
TdI4MkWsYe3/tlEF68ZaGfONFyp1BMuE2mqj12ZHa9xukmiDp5X9GKV1bOPe
jpHJsryCOenCpgluqHcgrcr1Do4JXNXVxir4ltpkkSWSI1tUySqJeKO6NMvU
asiP7tOdXab6apOUyotHx3aVZHjmPo+ovyZH+HiME2T2VkVwMNgpFdeB5SvI
kFhHGx7Pu7RUG1O1JyuZ8EV8fkmbLPSlY9o8YBpvD9KKBI8Lq7Zmr81uZ00B
9in4TPqdSO1sRfzAKZc2A783fPTj+VQT7brc2Qg30l1wbflt1gq1hJ1gtagc
Y3HiFF2kozSibel1ZI1VmcvJEnAwx6okLXHnGowArSkRBaZMhMGx6BjEJxZR
TlnxWt4lpS4jWENMUoaXID0JTqd3dKQbkyYxP08EKvhxHUE9IEaoIrl1HKa4
sQUbArFIaHBav03iOLVKPdJnOEYe1yxdpUSMh/5/rFvKO1pfWjGUb6fPp0fT
o2djZdI0v4VydGVPBymcFrEwxBqYbV2BmqwjyUaCYC72NsFvtC9xAlIl9xRZ
0mEYgt7ZgtwVqI0R/yDAzjOTA+6N6f7wUModqtQvcKZvmJ306VuwDq410ICF
U9lAY7uqES77VdmqmUmBIRCktiTqXQ273qvUfiRDmuknozl4cHJ+KWIQozEZ
OQARCWRFqr3XZYL4CebFpKbqF1vkBBO2cP8IjkublsR24nZqEew2dJAyidlH
eBnoEmSXZAyqudQKfjp6AuM3sU4Tcoppuh/jSdBckRsr9eLJQpuSvBfQRJKZ
Yi8bM8+25trSLdMgzi/cfnuSZOvi8pVadO7Cl6iio2GBTV5W3TXIyqZDInN6
+AJ6uTOI/eArzm5uWNVsa93EAW/RJWnd3Q67zpzqj6HA/10nrFCkpIFdK5YR
DJW32RLX5aGDXeFubLpylFNoJQuqaR2wvw0ezf3keHKsEmxFXKvgKcatMsGP
AAFCJVRC+JE8WwGZrMnFViB6ZQtLkSH8FaYEDzHWy7piJ+j5dzR9Dt7Tbgmx
P6aHy5470EsTXdMpAxGMFYc25g60rKqF3NsNdkekgLLDypzndUfx4UYIcIeG
kZ0fbue0HwyOSSPcYuygyV+S2oFTHNrc9ylbqlOaMS+G4xd9v3SLtSDONi62
+yooyWKV5x3dG+Ns60x0QA8HH7emvpyf8xJdA6CYyxIFMssqjgRsAKwqgUmQ
keWqDfFQMJC+KvItx7auW2vjvClVj2bZEuS04WkFW2Y6oQghLCBDgG1bVvvi
Dvc1ZvNmejtBqYQBKNKVSXCO1tEKGVDWOmU1GeaeImFTwCKJN6pNytZGuJK0
QEyLI5xoNtahQNg7/qxrb07TX8CzewU8EJEilyaEBxS05tOaXsUH6hvYXTII
+MKiuCWxhvGUtgOkWtpyphIyXvJKRI1zwCzFIb2c6rMWfYzVJr+F4hTjECPe
rz9BmFHe0Pq7KIU16goR68CW+XHPzztcGamGGoLSDuEWiODxXgKMx6trhH86
d2SQLKkzoqTJJEriJ0V6FkXeheOgAhEWxoVfYiCM27xOY1VQHpT550AbOSjB
aHsvUM/qIEhLDEgongDhQG8pAIC/og7gcSyer6wJy0NLTdGyhndmv50giSar
jnNd5lP9IUttWXrREO8b5pBPPJBP3mxYquuMUCsuMeGNKDrwtUkcqDpQOBxB
iLtZRrNq1BTWeed661iw1eUG7olPWeJaag8Q61QdO9xPVtd4lUCAs440OI4U
VpyG1w61QwrqsqwF6UaQMi7Co5QCYrbWsONlX4m0pUk9WuDMPATOWYsTzhHd
+Cs9FsYqdmBGBRLMI4iC07oq0A4whtDp0rYa0qp0lqs0x1aFjuqCnDlbx7u/
nnljoAygpBRg4d3rpXhXHI/0u3T1GTodvAhgm2osATuzVeWlbQMbAq8Vz8l4
V4JVUlIEIawUFXkpMK4VMZMCjqfYzfa0ShLAJj9XD08AtZeCenDq1wJpdVfq
N5jzBYFDfXHO16ZUjps3xGLY4pfmTS/FL7W5slN6BfRdeDM2mUnzdV7DY2+X
ybp2MUnnDFhCGAeNq/IoT8sGO7oMunMiRhJBhjw/h8hgJuSMxFQDtrsQyQkY
g6qBtJZuWja+G/EeXh0ulYFyAweCY04pQ8SG5ChY+MSjE3GG9F1KJteW/CtB
6dHbD5dXVLSkv/r8gj+/P/3PD2fvT0/o8+Wf52/eNB+Uu+Pyzxcf3py0n9on
jy/evj09P5GHcVV3LqnR2/nfR2LOo4t3V2cX5/M3I314Ck3OTE7e+DGOcFB4
Cbec2L46fve//3P0LTzFf8BVPD86+gGuS758f/S7b/GFgoXslmfEMf4KKexV
q52ErCKzSyqTwnchDpUbctZk4uDmk38QZ/45079fRrujb//gLtCBOxc9zzoX
mWf9K72HhYkDlwa2abjZuX7A6S698793vnu+Bxd//8eUsp/J0fd//APV1R4x
+rnXq5x6Pcbdj/TlHjH+o2jXvY91iiYNAOPsmKxjlZM1cNQQD9NitJmi0mAS
T3Z2Ym1W6ItXfzk9vtJnJ6fnV2evz07f69nsR/1JX7060Z/VQYlGGL+k4lSU
xwKXZLNSFgbVQjTR3CGZVr2EeE/Pj0/1J1efpCLElvBKEyPc9f/6x7N/8oef
BAk1P3u2j/0Kh0FGNysc3b+CP93i4AYkOweXFqL8i1dAYycIPFRxXHAToKSe
w5dWiST8FoSdGWqSbSgfsLd53GCnqSNsif0QMxMLIIXwbw1iwiFpmu1oKdUN
UNRWFl+ybyYXi58I04g7dtByIlUWPAFyKOspD/zq1qRSThIMvwBKSrb19rfo
UZ6eZ026tNiaj+Gj/g6zpBxj3MkrQqBc9dKE1ACvEEJwp+oxI8kYCPRxVXMu
x9uz+fkcB18ndAtLicoc1D+gwLVo7WPhIjDXSz59ShDrJj6vFjj++fOUjfeD
VCwBAY6DYPYgY/acYfVgX0ueVXVRxUsuCpaciRcFJQy5q9ragXKhaBjrUhIF
LJlG8x9fz99cniK7OW7zieN5KVRsTXHtcmRPnSkb2IMTv8pp2Z79LsRU+tCP
FN+bHtK2lVrSAoy3nR50d6MSoWShXK6JKBrvGX5yrl3uoAtNcdUhlc4FVpS7
QFPHZMOHJnk2wUMTeWgSPkQFt4owpaQf8LU3SVHVTWGxof0rT3rEyYQUg6Tk
oIYKuWerQUYyB/IbaFrMiQ3JheyjokwJppFaA32lShkVXvfQi9UQ4w+WEQO9
exnvfBr4dWNSnBGpS5EIw6o7fJMa9k0UVP129CiVeJtUGXkKdZ3glxZPFmJH
74p8Z9bCn6tNkdfrzZBRJQdREJgmWZNIfV8itql1y1CCxOaU4RT57VhlVCYA
FbFDMq7qyXUyRt3cRUt+YbGVNRQUziGjpDJWA30XcZG7gPCiRpILU6augBRQ
LeWdxR47qKFCPygkxD5ZwteIIZJdE9f3UnOqt3XKKYIK1BUxhi2eYC/BrdDN
Qat6dT8nB4Ht9zmlNhCMG7q7nQ3X+uHsgzolOCHXrvNCwcXg0YqTjbEoATX8
O1oQUvozGwhd5dWKr0LRNiQPmMi4aQJC7sfzr3q+tLPtwAIsuM4CKSJC44ch
OCTaFfcXjOhBU7T0pCp64qXjR+m5xabUrOMoIAO8o+vStpJY43LX/9sf7sb0
UetHeoMApYpivxyLKBUN52ea47qWB3nML+d2z5E8kNm95x/Ia1D/QG4PsWpA
BOpABP1u3j0iEMqVSGEex5wPUjGmFQhDmzgWcSyL3MT2oNrcEce8ragxrVL8
1N2GoI8VyL2oNHJQZqDKGtVPfJMJm5UD7kjc63ubCm7ZJDuiEHzQxIje/ILE
gYFk2sfO5f4g31yFbULlWQJcu8LhuAYrlR0w9H7+S51q4PiunrJdcr2GEYTU
GSm7d9UUaf6ptuvY1CSqu4MGHrJpAggEfkJRc2Vu8iTm/Vgd7hCH0ypfQ209
qroH5o37fjlxpWRelOM8RU2P6sx9gNapxIBzUySOPh5oTNwEQZ7wHxS6q4vq
fl1kim+SPHWlLvAzCE1e27p4LIg53YD+88ZZyZfnvR4einhUn6VDbfPWZQy2
YXqCaIyKsx3nCtr8OoSOlAE/YSTgVTGGm8BddVJuvBfuQSJIAQq9zTOxGiSs
Xx+fPwYww7oAvuQi3Kp8ePIrVHiqS7O2A6mDZwqZEMsQC/qtfHuZsF7vJLTo
ri52pExBz5TzbFosyyWBlDxfgybKkq53E6kbzoGYFvrro+k3U5oa+A7/+x0+
Hz1mr9DWF33a3i0z0qDfwbJSnbxj2eftsnLf8LLTnkQOO90P5GAHLndnYvYC
AmVMkZPTxhNSlcI5w7YgReHAQphHL16GDZ2gWirRRGyQiejVSHnmIRiJgtgS
pPb5ioWSRE55TjlR71LrgfxvM4a29jkDUdn0nPqtxQeHs8B/SmN5AF2LQa5M
kpZSxli5ABfannibt97nX/pg9aD0mzcyMpjAbSa9BjvumrbiXjUWJ1Xw2RFC
IkHxZLu1cSL3EBiZqlc2Mq5oUQ2mClxdCC5PKkl9JpE5SELHQmdLtv1IKlu6
WRZf2g4yBu2AVCc5dvGYQQ5lJyQPZZb5jX1Jtn5r0uum7WSHZMfunjOb2I0I
2SE9C7y07DbES0Cq31ZEydS66mUpOxUl6SRGpd/vUBQd2NqtXj65NxG3bZHi
8IjeSzDk6PoIZh+51BaM+1kDyqAluS7FTJmFAZ4dRNH3U0B+RahwOuLGO/p7
kqlm992gv5YmVAMXSClc2v5Y+2EooFk3lDA0ENCOTNwp9sOTuF2pvkWCEWjW
xsqmcOCSXhrx2uZgNg9gPfbEDM0vjMVnhr3YANQaHqBT9zm2+0T4/5BbwpG7
XP3Y6Q6N4A2zdNy0rju/y6TcxjCLuCOH9MndqaREDd1l22znP/ihB0cXnmCV
QeMe5ySeSEYgPsRh1ub9Ac6F2jLvQ7syRneHhNuKSgdnBz34IbgaREjVrY/6
cTA/GyKivDtdU5z2NxCwaKZsWAOwFbt9MAQyyneVBBbg17IZ1z4ggHrLSSpN
+G1SBi1G119P3KSPa81yHZsHYqXLn1Qi42YegI5a5GkbppzqfEnDPLlrLM33
x1U7UTtmxXBYl4ci7+yGqx6efCStg75udLrkbqCAIgBNC/S6cM2gz5dljFPZ
1EVc3CKGbkrKXmVoq7aqieijy7dnrRrTVvSiS5hwtX3Hke+C7NUBynbQnRa8
ODtxdht2RtxMXykptBI/mDTN9nqJ5KeqiVa/DjdwNnka8xwjXEvJDU/uoPyq
T+ALtjAX+kT9aVFCfH3vnaU0935Vv07cv1nzSf4dfMUFrEudTH4ubHvS1271
Auuqq65rFghR8Yhhc7DC8jHiNpzs6mXKKZ6iYorLAPh1Bf6l0R0eQachUlKj
QIfLRp2wBOHYOQjiGfymOAMG0mfyw8Gcbd/pyhGa623tI+IySUIjGEkWJXAa
rk7F0JGRq8lUvYvd2Pp9BZrBmW5O4XgVfbCKCx5UYuEMlkPRQAiupLUz+NqJ
C3RDwYiGd90oUrpXbna3e4LHYP5p4qdRipxwqgsAOWN8qcjQiyYsa++JcuoS
bPJbntU9SL/SlKuWDn/GHafeHdAjaNodG+yN6SUySbY1MRwGwH8wqccs3Ss3
fiisfSn0+olG063x/9b8Wzv0Bhe8MXT6GB7fzanJDp04zi/5sP7w3Zwd7EUN
Kw6/7cmDBpnv6EI91kkWThZO71ByN0HcxE3qQdoiyES7yn1PabIZhaH33UT3
Fc2F01D/stOw76vrne947AzlOp7KcAqsl0OSdFy3WqBXV3s4CkpTSLKDHtM7
6kRrKkFM1YCswknEKF9n1LYSLMDsI+mFsT7UlaClO8F9kzrjGcuXoUib3f3O
SZAkbyTAtS383JW6pfKl7uvEC0pYJ817CvLWU/tSy7o2BdhhmU6eZ/PTEol7
e0e0n156SFNEp2CKPay2yhxwRMCXRyE6ci7sTRKQ4/2DEocpLzWlyY0tPDJ3
rWG92a+BGCjDpPaqw2DNZJV6WGeZB5ldA2W7JYUJaeRahBtJ7at/O7Ers5CS
RCo/a6fb1zRaENx/1SmXYIdwXm937esdgceF2w/ypcIKrxBPSJMoxNMMmNQL
tk0rd5MsE0Zy4Ysn1PalJIlNqclBHXGdN3DZ4huESD6bnBrXUvy0kx6o9Jsi
YWiXISLwqLO0Cvpvs9Fgua/N8eBCgzXvGGE4KGewzvZh+0z5zCUUYzj5DVlF
dleFSRrRIsV8ejvZftwZ35O74Vdb/ItRtp+235pS3qmQtpN/gQJe5OB1TfK5
jHZEvXdOQOItpbHi0colT3VnwTNlvVq5QSE5eAwolO/5N6yEyLklS5WpcRg/
eYZGY2aHPkUferTEjexK9GI3oFyxTLSIjPS4D+3dWxtci0vdNxrS4tzUjb7f
1CmNJjCQ4zFUP4XtHFabj+W7Om2H+xu3uwRq9G5alPsvdUnzsNlXlV4lH2my
Qs0jcp+pjdciJyQYJShPpfnEI8kOMoJHpk6rQfVQQehtraZhjdR3Mp/2mIEq
zuErB65t5hAggETWVIlCsJhxcBTFdKjdyKRwnmUSDqdan3jA3C0x9d6WKjeN
B11SbY5f4hWOU6etcsmhfwmAUxna0nXbaKJcJmcaHvCwHWuH35RTHqqr0muB
1LGVAgKVE8o2C23QIeORBgHKVHllriFZ9tbtC96ckVzxWxGg1Ph5/cotKPzs
vofkGEbscqM+zQxQ57U7Gi/hWZRlwC487MAnzxXVXA9g79UvOjl3xbloq3Ac
ftSnmWQfNv5xtEI4sSMacrw4uYBUG9Wcqv8DeqYW5BdCAAA=

-->

</rfc>
