Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Tue Oct 11 14:44:49 CDT 2005
> provider would want to use name constraints ... is that what you
> meant in the later part of the sentence above?
I think this would only work if the issuer had the name constraint
in its certificate.
See http://www.ietf.org/rfc/rfc3280.txt, bottom of p 36
4.2.1.11 Name Constraints
The name constraints extension, which MUST be used only in a CA
certificate, ...
So if they provided a sub CA for you, then maybe. Otherwise no.
I expect that the number of certs involved is too low for "yes".
(I still think name constraints is supported so poorly, it
will remain unusable for a few years except in closed pkis.)
There are a number of large subordinate CA projects provided
by verisign to certain large academic institutions; there the
answer might well be yes. But I don't know and have no easy
way of finding out.
More information about the caops-wg
mailing list