and constrained subordinate CA costs?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Mar 28 20:28:43 EST 2005
Erwann ABALEA <erwann at abalea.com> writes:
>On Fri, 25 Mar 2005, Florian Weimer wrote:
>>* Adam Back:
>>>Does anyone have info on the cost of sub-ordinate CA cert with a name
>>>space constraint (limited to issue certs on domains which are
>>>sub-domains of a your choice... ie only valid to issue certs on
>>>sub-domains of foo.com).
>>Is there a technical option to enforce such a policy on subordinated
>>CAs?
>
>Yes, the nameConstraints extension. But nobody checks it, and since this
>extension MUST be critical as per RFC3280, it invalidates the CA certificate
>that includes it, making it useless, for now.
Not necessarily, some implementations also ignore the critical flag, so the
cert is treated as valid, although the entire extension is ignored. However a
corollary of this is that because of the hit-and-miss nature of support for
the extension, you can't rely on it unless you carefully control all of the
software that's used to process certs and make sure that it handles everything
correctly.
(Even if your app supports name constraints, there are some rather arcane
matching rules in the spec that a number of apps get wrong, so there's a whole
range of behaviours that you can encounter when you put a nameConstraints
extension in a cert).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list