Aren't the implementations of name constrains generally buggy, and therefore not usable in real life?
On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai <[email protected]> wrote: > On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote: >> Good point. Isn't there an X509 extension (possibly part of PKIX?) which >> restricts membership in the chain path to a criteria. In other words you >> can require your sub-CA to be present in the chain. Sorry, but my memory >> is a bit fuzzy on this. > > If you're talking about Name Constraints, they seem to be geared more > toward allowing a CA to limit what a sub CA that it issues can be > trusted to do, and not the other way around. > > I don't think I know of anything that deals with this that doesn't > eventually end up setting up library-specific configuration for the > library that's going to be verifying the certificate. > > Nalin > > _______________________________________________ > Freeipa-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-devel ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [email protected], or [email protected] _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
