On Tuesday 06 April 2010 10:54:49 Jean-Marc Desperrier wrote: > Matt McCutchen wrote: > > An extended key usage of "TLS Web Server Authentication" on the > > intermediate CA would constrain all sub-certificates, no? > > You are here talking about a proprietary Microsoft extension of the X509 > security model.
Mozilla has its own proprietary certificate extension (Netscape Cert Type) that (IINM) can be used to achieve the same outcome (by setting the "SSL CA" bit). http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html has some old notes from Nelson. AFAIK, this extension is still supported by NSS, but having said that I wouldn't be surprised if Nelson replies to this message with words to the effect of "that extension is deprecated, so please don't use it any more!" Rob Stradling Senior Research & Development Scientist C·O·M·O·D·O - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto