Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Frank Siebenlist
franks at mcs.anl.gov
Tue Oct 11 00:24:09 CDT 2005
Mozilla's Network Security Services (NSS)
(essentially Mozilla's version of openssl)
http://www.mozilla.org/projects/security/pki/nss/
...
8 January 2004: NSS 3.9 Release
The new features and enhancements in NSS 3.9 include GeneralizedTime
support, RFC 3280 compliant name constraints,...
...
... so maybe the current MS&Mozilla browsers do support x509 name
constraints after all...
-Frank.
Tony J. Genovese wrote:
> Here is some information on Name Constraint validation for Windows clients:
>
> --------------- From Microsoft TechNet -------------------
>
> Name constraint validation
> A CA certificate can contain name constraints that are applied to all
> certificate requests made to the CA. Each request is compared to the list of
> permitted and excluded constraints to determine whether the certificate
> should be considered permitted, not permitted, excluded, or not defined.
>
> Note
> Name constraint validation can only be performed by Windows XP and Windows
> Server 2003 clients. Name constraints are not evaluated by Windows 2000
> clients. If you require that name constraints be applied, you can indicate
> that the extensions are critical, which should result in the chain being
> discarded by an application conforming to RFC 2459.
>
> For example, a permitted constraint could allow all DNS names that end in
> contoso.com. This would include DNS names such as contoso.com and
> xcontoso.com. If you only wanted DNS names from the contoso.com DNS name
> space, you could use the permitted constraint .contoso.com. This constraint
> would permit x.contoso.com but exclude xcontoso.com.
>
> When name constraints are present in a CA certificate, the following rules
> are applied to the subject name and alternate subject name entries.
>
> . If the name constraints extension exists in a CA certificate, all name
> constraints should be present in the extension. Any name constraints that
> are not included are considered wildcards that will match all possibilities.
> For example, if the DNS name constraint were absent, the entry would be
> treated as DNS=.
>
> . All name constraints will be considered. There is no precedence applied to
> the listed name constraints. It is for this reason that name constraints
> that are not present are treated as wildcards.
>
> . An excluded name constraint will take precedence over a permitted name
> constraint
>
> . Name constraints are applied to the subject name extension and any
> existing subject alternate name extensions.
>
> . Name constraints apply to all names contained in an end certificate. Each
> name in the subject or subject alternate name extensions should match at
> least one of the name constraints listed for that name type. A subject name
> or subject alternate name that does not match a listed name type will be
> rejected. Note that most client name spaces are not included in a CA
> certificate and generally do not apply.
>
> . Name constraints are case-sensitive if the names are stored in ASCII or
> Unicode format.
>
> Name restrictions must be enforced across the following alternative name
> information entries in the subject name: Other Name (NT Principal Name
> only); RFC 822 Name; DNS Name; URL; Directory Name, and IP address.
>
> When the certificate chain engine validates an end certificate for name
> constraints, it will arrive at one of the following results:
>
> . Permitted The end certificate contains a name that is listed as permitted
> in an issuer's name constraints extension.
>
> . Not permitted The end certificate contains a name that is not listed as
> permitted in an issuer's name constraints extension.
>
> . Excluded The end certificate contains a name that is listed as excluded in
> an issuer's name constraints extension
>
> . Not Defined The issuer certificate does not list a constraint for a
> specific name type (such as Directory Name or IP Address)
>
>
>
--
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
More information about the caops-wg
mailing list