and constrained subordinate CA costs?
Matt Crawford
crawdad at fnal.gov
Fri Mar 25 17:02:36 EST 2005
On Mar 25, 2005, at 11:55, Florian Weimer wrote:
>> Does anyone have info on the cost of sub-ordinate CA cert with a name
>> space constraint (limited to issue certs on domains which are
>> sub-domains of a your choice... ie only valid to issue certs on
>> sub-domains of foo.com).
>
> Is there a technical option to enforce such a policy on subordinated
> CAs?
There's an X.509v3 NameConstraints extension (which the higher CA would
include in the lower CA's cert) but I have the impression that ends
system software does not widely support it. And of course if you don't
flag it critical, it's not very effective.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list