On Wed, 2013-02-27 at 13:55 +0100, Petr Spacek wrote:
> Hello list,
> 
> during our last meeting with Simo we discussed support for name constraint 
> extension in CA certificates and clients.
> 
> The Name Constraints Extensions is defined here:
> http://tools.ietf.org/html/rfc5280#section-4.2.1.10
> 
> Following article could be interesting for you if you like longer stories:
> "Mozilla changes policy to limit risk of subordinate CA certificate abuse"
> Author: Lucian Constantin 19.02.2013 kl 21:50
> http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B
> 
> If I remember correctly, questions were mainly about support on client side 
> and about implications for older clients.

I had a chat with Kai Engert (in CC) at DevConf.cz about this, we'll try
to work on this as time permits.
NSS seem to support this extension but so far we do not have tests
covering it apparently.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to