[Freeipa-devel] CA name constrains
Hello list, during our last meeting with Simo we discussed support for name constraint extension in CA certificates and clients. The Name Constraints Extensions is defined here: http://tools.ietf.org/html/rfc5280#section-4.2.1.10 Following article could be interesting for you if you like longer stories: Mozilla changes policy to limit risk of subordinate CA certificate abuse Author: Lucian Constantin 19.02.2013 kl 21:50 http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B If I remember correctly, questions were mainly about support on client side and about implications for older clients. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] CA name constrains
On Wed, 2013-02-27 at 13:55 +0100, Petr Spacek wrote: Hello list, during our last meeting with Simo we discussed support for name constraint extension in CA certificates and clients. The Name Constraints Extensions is defined here: http://tools.ietf.org/html/rfc5280#section-4.2.1.10 Following article could be interesting for you if you like longer stories: Mozilla changes policy to limit risk of subordinate CA certificate abuse Author: Lucian Constantin 19.02.2013 kl 21:50 http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B If I remember correctly, questions were mainly about support on client side and about implications for older clients. I had a chat with Kai Engert (in CC) at DevConf.cz about this, we'll try to work on this as time permits. NSS seem to support this extension but so far we do not have tests covering it apparently. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] CA name constrains
On Wed, 2013-02-27 at 08:16 -0500, Simo Sorce wrote: On Wed, 2013-02-27 at 13:55 +0100, Petr Spacek wrote: Hello list, during our last meeting with Simo we discussed support for name constraint extension in CA certificates and clients. The Name Constraints Extensions is defined here: http://tools.ietf.org/html/rfc5280#section-4.2.1.10 Following article could be interesting for you if you like longer stories: Mozilla changes policy to limit risk of subordinate CA certificate abuse Author: Lucian Constantin 19.02.2013 kl 21:50 http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B If I remember correctly, questions were mainly about support on client side and about implications for older clients. I had a chat with Kai Engert (in CC) at DevConf.cz about this, we'll try to work on this as time permits. NSS seem to support this extension but so far we do not have tests covering it apparently. Simo. Btw I opened ticket https://fedorahosted.org/freeipa/ticket/3466 to track this. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel