On Wed, Jul 16, 2008 at 10:28:45AM -0600, Peter Saint-Andre wrote: > Scrap that idea. I was right the first time. RFC 5280 says: > > The name constraints extension, which MUST be used only in a CA > certificate, indicates a name space within which all subject names in > subsequent certificates in a certification path MUST be located. > > Oh well, it was a pleasant notion while it lasted. All of 15 minutes or > so. ;)
Right :-) Only for CA certificates. If I'm operating a CA that only issues certificates for names in the upenn.edu name space (including SRVName name types), then it might be appropriate for the CA certificate to include a 'upenn.edu' name constraint extension. It might even make it more likely for other people to use that CA certificate as a trust anchor since they could be assured that this CA can only issue certificates for upenn.edu names, and not start issuing certs for microsoft.com or some other unrelated entity. This of course assumes that certificate validation software is correctly processing and applying the name constraint, which might be a big assumption! --Shumon.
