On Thu, Jun 03, 2010 at 09:36:56AM -0400, jeff wrote: > I have an example, detailed below, that specifies permitted and excluded > subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate > requests adhering to and violating the name constraints both, even > though the nameConstraints are marked as critical.
I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Does OpenSSL trust chain validation include any checks on name constraints? -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org