Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Frank Siebenlist
franks at mcs.anl.gov
Mon Oct 10 12:03:09 CDT 2005
Hi Mike,
I don't know if it works correctly or not, but the openssl change log shows:
http://www.openssl.org/news/changelog.html
...
Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
...
*) Support for nameConstraints certificate extension.
[Steve Henson]
...
Did anyone test this?
-Frank.
Mike Helm wrote:
>David Chadwick writes:
>
>
>>Can anyone give me evidence of support or non-support of commercial CAs
>>for the name constraints extension?
>>
>>
>
>Well, in the recent past, no commercial client software supported
>name constraints, so whether commercial CAs supported them or not
>was a moot point. Well worse than that, since it's a critical
>extension. Your CA would be useless.
>
>openssl doesn't support it, so that makes use of name constraints
>in the web &c world pretty much impossible. I am not sure whether
>recent Windows products can; it would make sense that they do,
>because of cross-signing support, but I don't know.
>
>
>
--
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
More information about the caops-wg
mailing list