and constrained subordinate CA costs?

Matt Crawford crawdad at
Fri Mar 25 17:34:15 EST 2005

On Mar 25, 2005, at 16:06, Adam Back wrote:

>> There's an X.509v3 NameConstraints extension (which the higher CA 
>> would
>> include in the lower CA's cert) but I have the impression that ends
>> system software does not widely support it.  And of course if you 
>> don't
>> flag it critical, it's not very effective.
> Well I would say downright dangerous -- if its not flagged critical
> and not understood, right?
> Implication would be an intended constrained subordinate CA would be
> able to function as an unconstrained subordinate CA in the eyes of
> many clients -- free ability to forge any domain in the global SSL
> PKI.

Exactly.  (Just like the root CAs in the browser's shipped list.  :-)

And if it's marked critical, the certificate is no damn use to almost 
anyone.  Chicken, meet egg.  Egg, chicken.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list