[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
- To: "Cowles, Robert D." <rdc@xxxxxxxxxxxxxxxxx>
- Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
- From: Mike Helm <helm@xxxxxxxxxxxx>
- Date: Tue, 11 Oct 2005 12:44:49 -0700
- Cc: "Frank Siebenlist" <franks@xxxxxxxxxxx>,"Tony J. Genovese" <tony@xxxxxx>, "Von Welch" <vwelch@xxxxxxxxxxxxx>,"David Chadwick" <d.w.chadwick@xxxxxxxxxx>,"CAOPS-WG" <caops-wg@xxxxxxx>, "Olle Mulmo" <mulmo@xxxxxxxxxx>,"Joni Hahkala" <joni.hahkala@xxxxxxx>,"Jules Wolfrat" <wolfrat@xxxxxxx>, "Ron Trompert" <ron@xxxxxxx>
- Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
- Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
- In-reply-to: Your message of "Tue, 11 Oct 2005 11:46:22 PDT." <A34E01EABE96174A81D754F98FC574E8016737A1@exch-mail4.win.slac.stanford.edu>
- Reply-to: helm@xxxxxxxxxxxx
- Sender: owner-caops-wg@xxxxxxx
> provider would want to use name constraints ... is that what you
> meant in the later part of the sentence above?
I think this would only work if the issuer had the name constraint
in its certificate.
See http://www.ietf.org/rfc/rfc3280.txt, bottom of p 36
4.2.1.11 Name Constraints
The name constraints extension, which MUST be used only in a CA
certificate, ...
So if they provided a sub CA for you, then maybe. Otherwise no.
I expect that the number of certs involved is too low for "yes".
(I still think name constraints is supported so poorly, it
will remain unusable for a few years except in closed pkis.)
There are a number of large subordinate CA projects provided
by verisign to certain large academic institutions; there the
answer might well be yes. But I don't know and have no easy
way of finding out.