Hi Mike, I don't know if it works correctly or not, but the openssl change log shows: http://www.openssl.org/news/changelog.html ... Changes between 0.9.7h and 0.9.8 [05 Jul 2005] ... *) Support for nameConstraints certificate extension. [Steve Henson] ... Did anyone test this? -Frank. Mike Helm wrote:
David Chadwick writes:
Can anyone give me evidence of support or non-support of commercial CAs for the name constraints extension?
Well, in the recent past, no commercial client software supported name constraints, so whether commercial CAs supported them or not was a moot point. Well worse than that, since it's a critical extension. Your CA would be useless.
openssl doesn't support it, so that makes use of name constraints in the web &c world pretty much impossible. I am not sure whether recent Windows products can; it would make sense that they do, because of cross-signing support, but I don't know.
-- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory