Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Von Welch
vwelch at ncsa.uiuc.edu
Mon Oct 10 13:07:39 CDT 2005
I don't know of any web browsers that use openssl, btw. Happy to be
proven wrong as this would give me hopes for a web browser that
supported proxy certs.
Von
On Oct 10, 2005, at 12:03 PM, Frank Siebenlist wrote:
> Hi Mike,
>
> I don't know if it works correctly or not, but the openssl change
> log shows:
>
> http://www.openssl.org/news/changelog.html
> ...
> Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
> ...
> *) Support for nameConstraints certificate extension.
> [Steve Henson]
> ...
>
> Did anyone test this?
>
> -Frank.
>
>
>
>
> Mike Helm wrote:
>
>
>> David Chadwick writes:
>>
>>
>>
>>> Can anyone give me evidence of support or non-support of
>>> commercial CAs
>>> for the name constraints extension?
>>>
>>>
>>>
>>
>> Well, in the recent past, no commercial client software supported
>> name constraints, so whether commercial CAs supported them or not
>> was a moot point. Well worse than that, since it's a critical
>> extension. Your CA would be useless.
>>
>> openssl doesn't support it, so that makes use of name constraints
>> in the web &c world pretty much impossible. I am not sure whether
>> recent Windows products can; it would make sense that they do,
>> because of cross-signing support, but I don't know.
>>
>>
>>
>>
>
> --
> Frank Siebenlist franks at mcs.anl.gov
> The Globus Alliance - Argonne National Laboratory
>
>
More information about the caops-wg
mailing list