Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Mon Oct 10 19:29:53 CDT 2005
Von Welch writes:
> I don't know of any web browsers that use openssl, btw. Happy to be
I don't know whether any browsers support name constraints. Since Tony
and David have reported that the recent MS CA supports it, perhaps
MS CAPI does too and at least some Windows platforms support it.
I am not sure about Mozilla NSS; it might be able to display it, but I don't
see any mention of name constraints in release notes. I'm not familiar
enough with nss code to be able to tell if it uses it, but it doesn't look
promising.
As for openssl 098, v3_ncons.c seems to have a test and tree management
routine for names & name constraint rules. I haven't found any other information on it either
on the ssl mailing list or in the distribution. The test directory doesn't seem to use it.
No example CA certs use it. You could code up your own ASN.1 blobs to insert into
a CA, perhaps. Best to ask Steve Henson.
Since there's a mod_ssl version of it now, you could probably make an Apache web server and test it.
If somebody wants to do this, we can make you a CA instance that will include
name constraints.
> On Oct 10, 2005, at 12:03 PM, Frank Siebenlist wrote:
> > I don't know if it works correctly or not, but the openssl change
> > Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
> > *) Support for nameConstraints certificate extension.
> > [Steve Henson]
> > Did anyone test this?
More information about the caops-wg
mailing list