On Fri, Mar 25, 2005 at 04:02:36PM -0600, Matt Crawford wrote: > There's an X.509v3 NameConstraints extension (which the higher CA would > include in the lower CA's cert) but I have the impression that ends > system software does not widely support it. And of course if you don't > flag it critical, it's not very effective.
Well I would say downright dangerous -- if its not flagged critical and not understood, right? Implication would be an intended constrained subordinate CA would be able to function as an unconstrained subordinate CA in the eyes of many clients -- free ability to forge any domain in the global SSL PKI. Adam On Fri, Mar 25, 2005 at 04:02:36PM -0600, Matt Crawford wrote: > > On Mar 25, 2005, at 11:55, Florian Weimer wrote: > > >>Does anyone have info on the cost of sub-ordinate CA cert with a name > >>space constraint (limited to issue certs on domains which are > >>sub-domains of a your choice... ie only valid to issue certs on > >>sub-domains of foo.com). > > > >Is there a technical option to enforce such a policy on subordinated > >CAs? > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
