[17167] in cryptography@c2.net mail archive
Re: and constrained subordinate CA costs?
daemon@ATHENA.MIT.EDU (Erwann ABALEA)
Mon Mar 28 15:11:12 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 25 Mar 2005 21:18:35 +0100 (CET)
From: Erwann ABALEA <erwann@abalea.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Adam Back <adam@cypherspace.org>, cryptography@metzdowd.com
In-Reply-To: <873bujmwyh.fsf_-_@deneb.enyo.de>
On Fri, 25 Mar 2005, Florian Weimer wrote:
> * Adam Back:
>
> > Does anyone have info on the cost of sub-ordinate CA cert with a name
> > space constraint (limited to issue certs on domains which are
> > sub-domains of a your choice... ie only valid to issue certs on
> > sub-domains of foo.com).
>
> Is there a technical option to enforce such a policy on subordinated
> CAs?
Yes, the nameConstraints extension. But nobody checks it, and since this
extension MUST be critical as per RFC3280, it invalidates the CA
certificate that includes it, making it useless, for now.
The X.509 standard provides less examples of the possible applications of
this extension than the RFC3280.
--
Erwann ABALEA <erwann@abalea.com> - RSA PGP Key ID: 0x2D0EABD5
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
