Hi Michael
Sorry, in fact I should have written name constraints and not naming constraints.
Anyway, name constraints and policy constraints are explained in RFC 3280 (sections 4.2.1.11 and 4.2.1.12).
In fact I was interested in these extensions because they allow to restrict what certificates are accepted through a cross-certification.
Example:
Suppose my DN is something like DC=CH DC=Unicible ... and I issue a cross-certificate for the root CA of DC=CH DC=TOTO.
If I set the name constraint permitted subtree to DC=CH DC=TOTO in the cross-certificate I am sure that only certificates with DC=CH DC=TOTO will validate through this cross-certificate up to my root CA.
I can avoid for example that the root CA of TOTO can issue certificates with DC=CH DC=Unicible which would then verify up to my root CA through the cross-certificate.
In fact all these extensions are just used to limit how much I want to trust the PKI hierarchy I cross-certify.
I just looked up the to do list of openssl and it seems that support for these extensions will be added I one of the future releases. I think that these extensions will be very important in order to really exploit the advantages of cross-certificates (and thus the advantages of the bridge trust model compared to a simple web trust model).
Thanks anyway for the workaround, but I think I will try to find another solution to my problem . May be by cross-certifying Sub-CAs instead of the root CA (with one Sub-CA per type of certificate this should be possible)
Pierre Scholtes
PS: I also found a paper on Microsoft Technet (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003). The new Windows Server 2003 CA seems to come with support for name constraints etc ...) I tried to do a cross-certification between my Windows CA and an openCA Sub-CA but could not get this working (seems like Microsoft expects several non-standard fields in the certificate requests for cross-certification :-( )
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
| Michael Bell <[EMAIL PROTECTED]>
03.09.2003 10:36 |
Pour : Pierre Scholtes <[EMAIL PROTECTED]> cc : OpenCA <[EMAIL PROTECTED]> Objet : Re: [Openca-Users] several certs with same public key:subject pair |
> PS: Is it right that openCA does not support any naming or policy
> constraints in cross-certificates (because of openssl not supporting them)?
We create certificatess with OpenSSL. So we support every extension
which OpenSSL supports. I cannot say more because I don't know exactly
what you mean with naming or policy constraints. Is there an RFC or
something else what I can read?
Michael
--
-------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482
(Computing Centre) Fax: +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin Email (private): [EMAIL PROTECTED]
Germany http://www.openca.org
