On Wed, 2013-02-27 at 08:16 -0500, Simo Sorce wrote: > On Wed, 2013-02-27 at 13:55 +0100, Petr Spacek wrote: > > Hello list, > > > > during our last meeting with Simo we discussed support for name constraint > > extension in CA certificates and clients. > > > > The Name Constraints Extensions is defined here: > > http://tools.ietf.org/html/rfc5280#section-4.2.1.10 > > > > Following article could be interesting for you if you like longer stories: > > "Mozilla changes policy to limit risk of subordinate CA certificate abuse" > > Author: Lucian Constantin 19.02.2013 kl 21:50 > > http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B > > > > If I remember correctly, questions were mainly about support on client side > > and about implications for older clients. > > I had a chat with Kai Engert (in CC) at DevConf.cz about this, we'll try > to work on this as time permits. > NSS seem to support this extension but so far we do not have tests > covering it apparently. > > Simo. >
Btw I opened ticket https://fedorahosted.org/freeipa/ticket/3466 to track this. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel