On 01/09/2013 04:33 AM, Erwann ABALEA wrote:
[Repost with my correct sender address]
Major browsers seem to deal correctly with basicConstraints. iOS and
MacOSX don't handle NameConstraints, Mozilla used to apply them to SAN only.
For software stacks, OpenSSL handles BC well, I haven't checked about NC
but it should be OK.
GNUtls correctly handles BC since version 3.1.3, don't know if the patch
has been backported to 3.0 and 2.6; it can't handle NC at all. GNUtls is
widely used on Debian/Ubuntu.
Java needs some testing.
Java supports both the Name Constraints extension and Basic Constraints
extension path length constraints, in TLS, or in other usages. Let me
know if you need more information.
--Sean
NSS is fine.
Lesser used stacks. PolarSSL doesn't check NC, and based on my readings
of the source code, BC support is incomplete. Don't know about other stacks.
2013/1/9 Leif Johansson <[email protected] <mailto:[email protected]>>
> This is something that is easily implemented using a path length
> constraint but you have to know that there is a potential problem to
> avoid it.
>
Has anyone done interop testing in the wild for path length and name
constraints, eg
for commonly deployed TLS stacks and browsers?
--
Erwann.
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
