On 2010/06/01 11:38 PDT, Kathleen Wilson wrote: > Is there support in NSS to restrict an intermediate CA to only be able > to issue SSL certificates within a specified domain?
Yes, the issuer of the intermediate CA cert can constrain the names that may appear in certificates issued by that subordinate intermediate CA. > If yes, does this support apply to both SANs and CNs? In current releases, it does not apply to CNs, because the standard does not define that constraint as applying to CNs. However, in the next forthcoming release, it will apply to CNs. Whether it's standard or not, the constraint is pretty useless if it does not apply to CNs, so we've changed it. There seems to be agreement among a subset of browser vendors that this is the right thing to do. > Can you point me to documentation on how to use this? http://www.rfc-editor.org/rfc/rfc5280.txt Section 4.2.1.10. Name Constraints > The reason that I’m asking is because there has been recent discussions > in m.d.s.policy about subordinate CAs that chain up to root certificates > that are included in NSS. The discussions have prompted a significant > update to the following wiki page: > https://wiki.mozilla.org/CA:SubordinateCA_checklist > > My questions above are in regards to the “Third-party private (or > enterprise) subordinate CAs” defined in this wiki page. It would be reasonable, IMO, for Mozilla policy to require CAs to constrain the subordinate intermediate CA certificates that they issue. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
