I’m considering setting up a hub and spoke PKI deployment, with the central certificate trusted with all clients. I would then use policies and name constraints to limit the use to S/MIME and name constraints to enforce the delegation of the subject name / SAN name.
I’ve read that name constraints aren’t reliable on the client side, and would therefore make this effort worthless. Does the Bouncy Castle client code verify name constraints when checking the PKI trust for a given certificate? (in my case S/MIME) PS- Any anicdotal information is appreciated regarding name constraints and qualified subordination. http://technet.microsoft.com/en-us/library/cc785267(v=ws.10).aspx ********************************************************************** This e-mail may contain information that is privileged, confidential or protected under state or federal law. If you are not an intended recipient of this email, please delete it, notify the sender immediately, and do not copy, use or disseminate any information in the e-mail. Pursuant to IRS Circular 230, any tax advice in this email may not be used to avoid any penalties imposed under U.S. tax laws. E-mail sent to or from this e-mail address may be monitored, reviewed and archived.
