Name Constraints, was Re: [caops-wg] Re: ca signing policy file

Tony J. Genovese tony at es.net
Mon Oct 10 18:09:01 CDT 2005 

Quick search of my 2003 CA...  It is supported. Looks like RFC 2459. From
the man page:

Qualified Subordination [...] All features of qualified subordinate CAs are
new to the Windows Server 2003 family and are not available on Windows 2000
Server. To use these new features, you must use a Windows Server 2003
certification authority.

 Note:  The constraints and policy types listed above are defined in RFC
2459. 
-------+--------
They list a number of names and their associated RFCs that you can use:

[....] You can use the following naming and addressing formats to constrain
the certificate issuance activities of qualified subordinate CAs:

  Directory name (for example, an Active Directory distinguished name) 
  DNS domain name 
  E-mail name 
  User principal name (UPN) 
  Universal Resource Identifier (URI) 
  Internet Protocol address



Tony...

-----Original Message-----
From: owner-caops-wg at ggf.org [mailto:owner-caops-wg at ggf.org] On Behalf Of
David Chadwick
Sent: Monday, October 10, 2005 11:52 AM
To: helm at fionn.es.net
Cc: CAOPS-WG; Von Welch; Olle Mulmo; Joni Hahkala; Jules Wolfrat; Ron
Trompert; Frank Siebenlist
Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

Mike

I am informed by MS that they support name constraints, but I dont know 
which products, OS versions etc.

thanks

David


Mike Helm wrote:
> David Chadwick writes:
> 
>>Can anyone give me evidence of support or non-support of commercial CAs 
>>for the name constraints extension?
> 
> 
> Well, in the recent past, no commercial client software supported 
> name constraints, so whether commercial CAs supported them or not
> was a moot point.  Well worse than that, since it's a critical
> extension.  Your CA would be useless.
> 
> openssl doesn't support it, so that makes use of name constraints
> in the web &c world pretty much impossible.  I am not sure whether
> recent Windows products can; it would make sense that they do,
> because of cross-signing support, but I don't know.
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list