Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Tony J. Genovese
tony at es.net
Mon Oct 10 18:09:01 CDT 2005
Quick search of my 2003 CA... It is supported. Looks like RFC 2459. From
the man page:
Qualified Subordination [...] All features of qualified subordinate CAs are
new to the Windows Server 2003 family and are not available on Windows 2000
Server. To use these new features, you must use a Windows Server 2003
certification authority.
Note: The constraints and policy types listed above are defined in RFC
2459.
-------+--------
They list a number of names and their associated RFCs that you can use:
[....] You can use the following naming and addressing formats to constrain
the certificate issuance activities of qualified subordinate CAs:
Directory name (for example, an Active Directory distinguished name)
DNS domain name
E-mail name
User principal name (UPN)
Universal Resource Identifier (URI)
Internet Protocol address
Tony...
-----Original Message-----
From: owner-caops-wg at ggf.org [mailto:owner-caops-wg at ggf.org] On Behalf Of
David Chadwick
Sent: Monday, October 10, 2005 11:52 AM
To: helm at fionn.es.net
Cc: CAOPS-WG; Von Welch; Olle Mulmo; Joni Hahkala; Jules Wolfrat; Ron
Trompert; Frank Siebenlist
Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike
I am informed by MS that they support name constraints, but I dont know
which products, OS versions etc.
thanks
David
Mike Helm wrote:
> David Chadwick writes:
>
>>Can anyone give me evidence of support or non-support of commercial CAs
>>for the name constraints extension?
>
>
> Well, in the recent past, no commercial client software supported
> name constraints, so whether commercial CAs supported them or not
> was a moot point. Well worse than that, since it's a critical
> extension. Your CA would be useless.
>
> openssl doesn't support it, so that makes use of name constraints
> in the web &c world pretty much impossible. I am not sure whether
> recent Windows products can; it would make sense that they do,
> because of cross-signing support, but I don't know.
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list