-----Original Message----- From: owner-caops-wg@ggf.org [mailto:owner-caops-wg@ggf.org] On Behalf Of Mike Helm ... It doesn't make sense to me that the commercial SSL server cert providers would use name constraints, because of their naming strategies. But they might use them if they operate a subordinate CA for some defined party (like a regional government, or large company).
When we use Verisign we had a deal that we had a certificate that could be used to sign so many certs locally. I don't know if we have the same kind of deal with Thawte, but I'll check. In any case, that seems like exactly the case where a commercial provider would want to use name constraints ... is that what you meant in the later part of the sentence above? Bob Cowles