Mozilla's Network Security Services (NSS) (essentially Mozilla's version of openssl) http://www.mozilla.org/projects/security/pki/nss/ ... 8 January 2004: NSS 3.9 Release The new features and enhancements in NSS 3.9 include GeneralizedTime support, RFC 3280 compliant name constraints,... ... ... so maybe the current MS&Mozilla browsers do support x509 name constraints after all... -Frank. Tony J. Genovese wrote:
Here is some information on Name Constraint validation for Windows clients:
--------------- From Microsoft TechNet -------------------
Name constraint validation A CA certificate can contain name constraints that are applied to all certificate requests made to the CA. Each request is compared to the list of permitted and excluded constraints to determine whether the certificate should be considered permitted, not permitted, excluded, or not defined.
Note Name constraint validation can only be performed by Windows XP and Windows Server 2003 clients. Name constraints are not evaluated by Windows 2000 clients. If you require that name constraints be applied, you can indicate that the extensions are critical, which should result in the chain being discarded by an application conforming to RFC 2459.
For example, a permitted constraint could allow all DNS names that end in contoso.com. This would include DNS names such as contoso.com and xcontoso.com. If you only wanted DNS names from the contoso.com DNS name space, you could use the permitted constraint .contoso.com. This constraint would permit x.contoso.com but exclude xcontoso.com.
When name constraints are present in a CA certificate, the following rules are applied to the subject name and alternate subject name entries.
. If the name constraints extension exists in a CA certificate, all name constraints should be present in the extension. Any name constraints that are not included are considered wildcards that will match all possibilities. For example, if the DNS name constraint were absent, the entry would be treated as DNS=.
. All name constraints will be considered. There is no precedence applied to the listed name constraints. It is for this reason that name constraints that are not present are treated as wildcards.
. An excluded name constraint will take precedence over a permitted name constraint
. Name constraints are applied to the subject name extension and any existing subject alternate name extensions.
. Name constraints apply to all names contained in an end certificate. Each name in the subject or subject alternate name extensions should match at least one of the name constraints listed for that name type. A subject name or subject alternate name that does not match a listed name type will be rejected. Note that most client name spaces are not included in a CA certificate and generally do not apply.
. Name constraints are case-sensitive if the names are stored in ASCII or Unicode format.
Name restrictions must be enforced across the following alternative name information entries in the subject name: Other Name (NT Principal Name only); RFC 822 Name; DNS Name; URL; Directory Name, and IP address.
When the certificate chain engine validates an end certificate for name constraints, it will arrive at one of the following results:
. Permitted The end certificate contains a name that is listed as permitted in an issuer's name constraints extension.
. Not permitted The end certificate contains a name that is not listed as permitted in an issuer's name constraints extension.
. Excluded The end certificate contains a name that is listed as excluded in an issuer's name constraints extension
. Not Defined The issuer certificate does not list a constraint for a specific name type (such as Directory Name or IP Address)
-- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory