On Fri, 25 Mar 2005, Florian Weimer wrote: > * Adam Back: > > > Does anyone have info on the cost of sub-ordinate CA cert with a name > > space constraint (limited to issue certs on domains which are > > sub-domains of a your choice... ie only valid to issue certs on > > sub-domains of foo.com). > > Is there a technical option to enforce such a policy on subordinated > CAs?
Yes, the nameConstraints extension. But nobody checks it, and since this extension MUST be critical as per RFC3280, it invalidates the CA certificate that includes it, making it useless, for now. The X.509 standard provides less examples of the possible applications of this extension than the RFC3280. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
