On Mar 25, 2005, at 11:55, Florian Weimer wrote:

Does anyone have info on the cost of sub-ordinate CA cert with a name
space constraint (limited to issue certs on domains which are
sub-domains of a your choice... ie only valid to issue certs on
sub-domains of foo.com).

Is there a technical option to enforce such a policy on subordinated CAs?

There's an X.509v3 NameConstraints extension (which the higher CA would include in the lower CA's cert) but I have the impression that ends system software does not widely support it. And of course if you don't flag it critical, it's not very effective.

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to