As of release 0.103.12, which has the fix for GHSA-965h-392x-2mh5, a chain containing a URI name constraint is now rejected unconditionally, where previously the constraint was silently ignored.
This definitely makes sense as a default, but it's a breaking change for anyone whose CAs already carry URI name constraints. Webpki doesn't expose an API to assert URI names in the first place, so callers who care about URI name constraints may have been enforcing them themselves against the verified cert chain. For those callers the unconditional rejection short-circuits path validation before any other enforcement can run, and AFAICT there's no way to keep things working short of pinning a pre-0.103.12 version.
Is there any room for an opt-in (eg a flag on the verifier) that restores the old "ignore URI name constraints" behavior and leaves enforcement to the caller? Happy to submit a PR for this if there's interest.
As of release 0.103.12, which has the fix for GHSA-965h-392x-2mh5, a chain containing a URI name constraint is now rejected unconditionally, where previously the constraint was silently ignored.
This definitely makes sense as a default, but it's a breaking change for anyone whose CAs already carry URI name constraints. Webpki doesn't expose an API to assert URI names in the first place, so callers who care about URI name constraints may have been enforcing them themselves against the verified cert chain. For those callers the unconditional rejection short-circuits path validation before any other enforcement can run, and AFAICT there's no way to keep things working short of pinning a pre-0.103.12 version.
Is there any room for an opt-in (eg a flag on the verifier) that restores the old "ignore URI name constraints" behavior and leaves enforcement to the caller? Happy to submit a PR for this if there's interest.