and constrained subordinate CA costs?
Adam Back
adam at cypherspace.org
Fri Mar 25 17:06:17 EST 2005
On Fri, Mar 25, 2005 at 04:02:36PM -0600, Matt Crawford wrote:
> There's an X.509v3 NameConstraints extension (which the higher CA would
> include in the lower CA's cert) but I have the impression that ends
> system software does not widely support it. And of course if you don't
> flag it critical, it's not very effective.
Well I would say downright dangerous -- if its not flagged critical
and not understood, right?
Implication would be an intended constrained subordinate CA would be
able to function as an unconstrained subordinate CA in the eyes of
many clients -- free ability to forge any domain in the global SSL
PKI.
Adam
On Fri, Mar 25, 2005 at 04:02:36PM -0600, Matt Crawford wrote:
>
> On Mar 25, 2005, at 11:55, Florian Weimer wrote:
>
> >>Does anyone have info on the cost of sub-ordinate CA cert with a name
> >>space constraint (limited to issue certs on domains which are
> >>sub-domains of a your choice... ie only valid to issue certs on
> >>sub-domains of foo.com).
> >
> >Is there a technical option to enforce such a policy on subordinated
> >CAs?
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list