On 01/09/2013 10:10 AM, Erwann Abalea wrote: > > Major browsers seem to deal correctly with basicConstraints. iOS and > MacOSX don't handle NameConstraints, Mozilla used to apply them to SAN > only. > Your definition of "major" differ a bit from mine :-) > > For software stacks, OpenSSL handles BC well, I haven't checked about > NC but it should be OK. > GNUtls correctly handles BC since version 3.1.3, don't know if the > patch has been backported to 3.0 and 2.6; it can't handle NC at all. > GNUtls is widely used on Debian/Ubuntu. > Java needs some testing. > NSS is fine. >
thx > > Lesser used stacks. PolarSSL doesn't check NC, and based on my > readings of the source code, BC support is incomplete. Don't know > about other stacks. > > Le 9 janv. 2013 08:40, "Leif Johansson" <[email protected] > <mailto:[email protected]>> a écrit : > > > > This is something that is easily implemented using a path length > > constraint but you have to know that there is a potential problem to > > avoid it. > > > Has anyone done interop testing in the wild for path length and name > constraints, eg > for commonly deployed TLS stacks and browsers? > > Cheers Leif > _______________________________________________ > wpkops mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/wpkops >
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
