[17172] in cryptography@c2.net mail archive
Re: and constrained subordinate CA costs?
daemon@ATHENA.MIT.EDU (Matt Crawford)
Mon Mar 28 15:16:04 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 25 Mar 2005 16:02:36 -0600
From: Matt Crawford <crawdad@fnal.gov>
In-reply-to: <873bujmwyh.fsf_-_@deneb.enyo.de>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Adam Back <adam@cypherspace.org>, cryptography@metzdowd.com
On Mar 25, 2005, at 11:55, Florian Weimer wrote:
>> Does anyone have info on the cost of sub-ordinate CA cert with a name
>> space constraint (limited to issue certs on domains which are
>> sub-domains of a your choice... ie only valid to issue certs on
>> sub-domains of foo.com).
>
> Is there a technical option to enforce such a policy on subordinated
> CAs?
There's an X.509v3 NameConstraints extension (which the higher CA would
include in the lower CA's cert) but I have the impression that ends
system software does not widely support it. And of course if you don't
flag it critical, it's not very effective.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
