Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

[Von Welch <vwelch@xxxxxxxxxxxxx>]

I don't know of any web browsers that use openssl, btw. Happy to be  
proven wrong as this would give me hopes for a web browser that  
supported proxy certs.

Von


On Oct 10, 2005, at 12:03 PM, Frank Siebenlist wrote:

> Hi Mike,
>
> I don't know if it works correctly or not, but the openssl change  
> log shows:
>
> http://www.openssl.org/news/changelog.html
> ...
> Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
> ...
>   *) Support for nameConstraints certificate extension.
>      [Steve Henson]
> ...
>
> Did anyone test this?
>
> -Frank.
>
>
>
>
> Mike Helm wrote:
>
>
> > David Chadwick writes:
> >
> >
> >
> > > Can anyone give me evidence of support or non-support of  
> > > commercial CAs
> > > for the name constraints extension?
> > Well, in the recent past, no commercial client software supported
> > name constraints, so whether commercial CAs supported them or not
> > was a moot point.  Well worse than that, since it's a critical
> > extension.  Your CA would be useless.
> >
> > openssl doesn't support it, so that makes use of name constraints
> > in the web &c world pretty much impossible.  I am not sure whether
> > recent Windows products can; it would make sense that they do,
> > because of cross-signing support, but I don't know.
> --
> Frank Siebenlist               franks@mcs.anl.gov
> The Globus Alliance - Argonne National Laboratory