IP address name constraint masks must be representable in CIDR notation

[briansmith]

Chromium enforces that the masks in IP address name constraints are representable in CIDR notations: i.e. zero or more 1 bits followed by all 0 bits, with no 0 bits after the first 1 bit. An IP address name constraint that doesn't match this pattern should be considered malformed, i.e. mis-issued. Since RFC 5280 isn't clear about this, the PKI policy should call this out specifically.

briansmith/webpki#130 has more context. This was pointed out by Gregor Kopf for Cure53.

[CBonnell]

RFC 5280, section 4.2.1.10 says:

The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
the following additions specifically for name constraints. For IPv4
addresses, the iPAddress field of GeneralName MUST contain eight (8)
octets, encoded in the style of RFC 4632 (CIDR) to represent an
address range [RFC4632].

"in the style of RFC 4632" is a MUST-level encoding rule, so I think 5280 is clear that address ranges must be CIDR-representable, and it is a profile violation otherwise. I'd be interested to hear differing interpretations to see how this can be further clarified.