Quick search of my 2003 CA... It is supported. Looks like RFC 2459. From the man page: Qualified Subordination [...] All features of qualified subordinate CAs are new to the Windows Server 2003 family and are not available on Windows 2000 Server. To use these new features, you must use a Windows Server 2003 certification authority. Note: The constraints and policy types listed above are defined in RFC 2459. -------+-------- They list a number of names and their associated RFCs that you can use: [....] You can use the following naming and addressing formats to constrain the certificate issuance activities of qualified subordinate CAs: Directory name (for example, an Active Directory distinguished name) DNS domain name E-mail name User principal name (UPN) Universal Resource Identifier (URI) Internet Protocol address Tony... -----Original Message----- From: owner-caops-wg@ggf.org [mailto:owner-caops-wg@ggf.org] On Behalf Of David Chadwick Sent: Monday, October 10, 2005 11:52 AM To: helm@fionn.es.net Cc: CAOPS-WG; Von Welch; Olle Mulmo; Joni Hahkala; Jules Wolfrat; Ron Trompert; Frank Siebenlist Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file Mike I am informed by MS that they support name constraints, but I dont know which products, OS versions etc. thanks David Mike Helm wrote:
David Chadwick writes:
Can anyone give me evidence of support or non-support of commercial CAs for the name constraints extension?
Well, in the recent past, no commercial client software supported name constraints, so whether commercial CAs supported them or not was a moot point. Well worse than that, since it's a critical extension. Your CA would be useless.
openssl doesn't support it, so that makes use of name constraints in the web &c world pretty much impossible. I am not sure whether recent Windows products can; it would make sense that they do, because of cross-signing support, but I don't know.
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************