On Mon, Sep 09, 2013 at 01:07:09PM -0700, Henry B. Hotz wrote:
> On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai <na...@redhat.com> wrote:
> > On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote:
> >> Good point. Isn't there an X509 extension (possibly part of PKIX?) which
> >> restricts membership in the chain path to a criteria. In other words you
> >> can require your sub-CA to be present in the chain. Sorry, but my memory
> >> is a bit fuzzy on this.
> > If you're talking about Name Constraints, they seem to be geared more
> > toward allowing a CA to limit what a sub CA that it issues can be
> > trusted to do, and not the other way around.
> Aren't the implementations of name constrains generally buggy, and therefore
> not usable in real life?
Yes, ISTR hearing that library support for them was not as widespread as
I'd have hoped.
There's also the secondary problem that the standards don't specify how
to express Name Constraints on AnotherName values, for example Kerberos
principal names. Though it's possible I just haven't found where that
Freeipa-devel mailing list