Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Tue Oct 11 13:05:43 CDT 2005
Frank Siebenlist writes:
> 8 January 2004: NSS 3.9 Release
> ... so maybe the current MS&Mozilla browsers do support x509 name
> constraints after all...
So it looks like the ingredients to use name constraints successfully
(for instance, commercially)
have finally appeared: in later versions of Windows, in NSS,
and just now in openssl 98 (hence Apache).
The next challenge would be to dump the contents of the
delivered CA lists from MS and Mozilla and see if any
name constraints can be found. My guess is the number would be "0",
since openssl is the key player here thru Apache; if there
are any CAs using name constraints, they are subordinates
not carried yet in those lists.
It doesn't make sense
to me that the commercial SSL server cert providers would
use name constraints, because of their naming strategies.
But they might use them if they operate a subordinate CA for
some defined party (like a regional government, or
large company).
The Thawte WoT - personal cert system had a pretty flat
name space the last time I looked at it; would't work
well with name constraints. I haven't looked at other
personal cert providers in a very long time.
More information about the caops-wg
mailing list