On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote: > Good point. Isn't there an X509 extension (possibly part of PKIX?) which > restricts membership in the chain path to a criteria. In other words you > can require your sub-CA to be present in the chain. Sorry, but my memory > is a bit fuzzy on this.
If you're talking about Name Constraints, they seem to be geared more toward allowing a CA to limit what a sub CA that it issues can be trusted to do, and not the other way around. I don't think I know of anything that deals with this that doesn't eventually end up setting up library-specific configuration for the library that's going to be verifying the certificate. Nalin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
