and constrained subordinate CA costs?
Erwann ABALEA
erwann at abalea.com
Fri Mar 25 15:18:35 EST 2005
On Fri, 25 Mar 2005, Florian Weimer wrote:
> * Adam Back:
>
> > Does anyone have info on the cost of sub-ordinate CA cert with a name
> > space constraint (limited to issue certs on domains which are
> > sub-domains of a your choice... ie only valid to issue certs on
> > sub-domains of foo.com).
>
> Is there a technical option to enforce such a policy on subordinated
> CAs?
Yes, the nameConstraints extension. But nobody checks it, and since this
extension MUST be critical as per RFC3280, it invalidates the CA
certificate that includes it, making it useless, for now.
The X.509 standard provides less examples of the possible applications of
this extension than the RFC3280.
--
Erwann ABALEA <erwann at abalea.com> - RSA PGP Key ID: 0x2D0EABD5
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list