My take is also that it wouldn't be prudent, even with these advances in NameConstraints adoption, to assume they remove the need for RP- specified policies such as this document describes. That would require adoption by CAs in general. Von On Oct 11, 2005, at 1:05 PM, Mike Helm wrote:
Frank Siebenlist writes:
8 January 2004: NSS 3.9 Release ... so maybe the current MS&Mozilla browsers do support x509 name constraints after all...
So it looks like the ingredients to use name constraints successfully (for instance, commercially) have finally appeared: in later versions of Windows, in NSS, and just now in openssl 98 (hence Apache).
The next challenge would be to dump the contents of the delivered CA lists from MS and Mozilla and see if any name constraints can be found. My guess is the number would be "0", since openssl is the key player here thru Apache; if there are any CAs using name constraints, they are subordinates not carried yet in those lists.
It doesn't make sense to me that the commercial SSL server cert providers would use name constraints, because of their naming strategies. But they might use them if they operate a subordinate CA for some defined party (like a regional government, or large company).
The Thawte WoT - personal cert system had a pretty flat name space the last time I looked at it; would't work well with name constraints. I haven't looked at other personal cert providers in a very long time.