Matt McCutchen wrote:
On Apr 6, 5:54 am, Jean-Marc Desperrierjmd...@gmail.com wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You are here talking about a proprietary Microsoft
On Apr 7, 4:54 am, Jean-Marc Desperrier jmd...@gmail.com wrote:
Matt McCutchen wrote:
On Apr 6, 5:54 am, Jean-Marc Desperrierjmd...@gmail.com wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all
On 2010-04-07 01:54 PST, Jean-Marc Desperrier wrote:
Matt McCutchen wrote:
On Apr 6, 5:54 am, Jean-Marc Desperrierjmd...@gmail.com wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You
On Apr 7, 12:47 am, Kurt Seifried k...@seifried.org wrote:
What about www.paypal.com[NULL].yourcompany.com? I assume that would
be allowed by the name constraint with respect to fixed software, but
still hit some older software that has the NULL certificate bug.
I think
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You are here talking about a proprietary Microsoft extension of the X509
security model.
--
dev-tech-crypto mailing list
Matt McCutchen wrote:
A name-constrained intermediate certificate could be quite convenient
for the large organizations that are presently demanding their users
to trust private CAs for the whole Web (see bug 501697).
Ah ! The direction of restricting people who currently use sub-CA for
their
On Tuesday 06 April 2010 10:54:49 Jean-Marc Desperrier wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You are here talking about a proprietary Microsoft extension of the X509
security
On Apr 6, 5:54 am, Jean-Marc Desperrier jmd...@gmail.com wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You are here talking about a proprietary Microsoft extension of the X509
security
On Apr 6, 5:58 am, Jean-Marc Desperrier jmd...@gmail.com wrote:
Ah ! The direction of restricting people who currently use sub-CA for
their purpose to make it more secure will certainly be much more
successful than presenting it as allowing many more people to have their
own sub-CA.
But I do
On 04/07/2010 05:01 AM, Matt McCutchen:
On Apr 6, 5:58 am, Jean-Marc Desperrierjmd...@gmail.com wrote:
Ah ! The direction of restricting people who currently use sub-CA for
their purpose to make it more secure will certainly be much more
successful than presenting it as allowing many more
On Wed, 2010-04-07 at 05:17 +0300, Eddy Nigg wrote:
On 04/07/2010 05:01 AM, Matt McCutchen:
But I do want to allow many more people to have their own sub-CAs,
unless there is an actual technical reason why it is a bad idea, in
which case I am hoping you will tell me.
Yes, for example do
This is not an issue. The name constraint makes it impossible for a
domain registrant to issue a certificate that validates for a server
name outside that domain. Hence, anything bad I do with my
intermediate certificate could only hurt me as registrant of
mattmccutchen.net.
What about
[This thread is to continue the discussion from bug 554442; this
message
recaps the substance of the existing discussion.]
It would be great if a Mozilla-recognized CA would be willing to give
me, as the registrant of mattmccutchen.net, an intermediate CA
certificate with a critical name
On 04/04/2010 08:32, Matt McCutchen wrote:
[...]
It would be great if a Mozilla-recognized CA would be willing to give
me, as the registrant of mattmccutchen.net, an intermediate CA
certificate with a critical name constraint limiting it to
mattmccutchen.net.
I don't believe this taking a
On Apr 4, 6:30 pm, Jean-Marc Desperrier wrote:
On 04/04/2010 08:32, Matt McCutchen wrote:
[...]
It would be great if a Mozilla-recognized CA would be willing to give
me, as the registrant of mattmccutchen.net, an intermediate CA
certificate with a critical name constraint limiting it to
15 matches
Mail list logo