Von Welch writes:
I don't know of any web browsers that use openssl, btw. Happy to be
I don't know whether any browsers support name constraints. Since Tony and David have reported that the recent MS CA supports it, perhaps MS CAPI does too and at least some Windows platforms support it. I am not sure about Mozilla NSS; it might be able to display it, but I don't see any mention of name constraints in release notes. I'm not familiar enough with nss code to be able to tell if it uses it, but it doesn't look promising. As for openssl 098, v3_ncons.c seems to have a test and tree management routine for names & name constraint rules. I haven't found any other information on it either on the ssl mailing list or in the distribution. The test directory doesn't seem to use it. No example CA certs use it. You could code up your own ASN.1 blobs to insert into a CA, perhaps. Best to ask Steve Henson. Since there's a mod_ssl version of it now, you could probably make an Apache web server and test it. If somebody wants to do this, we can make you a CA instance that will include name constraints.
On Oct 10, 2005, at 12:03 PM, Frank Siebenlist wrote:
I don't know if it works correctly or not, but the openssl change Changes between 0.9.7h and 0.9.8 [05 Jul 2005] *) Support for nameConstraints certificate extension. [Steve Henson] Did anyone test this?