Shumon Huque wrote:
On Wed, Jul 16, 2008 at 10:28:45AM -0600, Peter Saint-Andre wrote:Scrap that idea. I was right the first time. RFC 5280 says:The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located.Oh well, it was a pleasant notion while it lasted. All of 15 minutes or so. ;)Right :-) Only for CA certificates. If I'm operating a CA that only issuescertificates for names in the upenn.edu name space (including SRVName name types), then it might be appropriate for the CAcertificate to include a 'upenn.edu' name constraint extension. It might even make it more likely for other people to use that CA certificate as a trust anchor since they could be assured that this CA can only issue certificates for upenn.edu names, and notstart issuing certs for microsoft.com or some other unrelated entity. This of course assumes that certificate validation software is correctlyprocessing and applying the name constraint, which might be a big assumption!
I was told that OpenSSL doesn't support that extension, I don't know about other implementations. But for our purposes the point is moot anyway...
/psa
smime.p7s
Description: S/MIME Cryptographic Signature
