Von Welch wrote:
My take is also that it wouldn't be prudent, even with these advances in NameConstraints adoption, to assume they remove the need for RP- specified policies such as this document describes. That would require adoption by CAs in general.
Von
Agreed. Also given that the current 3280 semantics are Allow all except, then you cant rely on the name constraints software to remove certs with different name forms to the ones you specify (and fact you can rely on it to accept them) regards David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************