Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Von Welch
vwelch at ncsa.uiuc.edu
Tue Oct 11 15:44:12 CDT 2005
My take is also that it wouldn't be prudent, even with these advances
in NameConstraints adoption, to assume they remove the need for RP-
specified policies such as this document describes. That would
require adoption by CAs in general.
Von
On Oct 11, 2005, at 1:05 PM, Mike Helm wrote:
> Frank Siebenlist writes:
>
>> 8 January 2004: NSS 3.9 Release
>> ... so maybe the current MS&Mozilla browsers do support x509 name
>> constraints after all...
>>
>
> So it looks like the ingredients to use name constraints successfully
> (for instance, commercially)
> have finally appeared: in later versions of Windows, in NSS,
> and just now in openssl 98 (hence Apache).
>
> The next challenge would be to dump the contents of the
> delivered CA lists from MS and Mozilla and see if any
> name constraints can be found. My guess is the number would be "0",
> since openssl is the key player here thru Apache; if there
> are any CAs using name constraints, they are subordinates
> not carried yet in those lists.
>
> It doesn't make sense
> to me that the commercial SSL server cert providers would
> use name constraints, because of their naming strategies.
> But they might use them if they operate a subordinate CA for
> some defined party (like a regional government, or
> large company).
>
> The Thawte WoT - personal cert system had a pretty flat
> name space the last time I looked at it; would't work
> well with name constraints. I haven't looked at other
> personal cert providers in a very long time.
>
>
More information about the caops-wg
mailing list