RE: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
-----Original Message----- From: owner-caops-wg@ggf.org [mailto:owner-caops-wg@ggf.org] On Behalf Of Mike Helm ... It doesn't make sense to me that the commercial SSL server cert providers would use name constraints, because of their naming strategies. But they might use them if they operate a subordinate CA for some defined party (like a regional government, or large company).
When we use Verisign we had a deal that we had a certificate that could be used to sign so many certs locally. I don't know if we have the same kind of deal with Thawte, but I'll check. In any case, that seems like exactly the case where a commercial provider would want to use name constraints ... is that what you meant in the later part of the sentence above? Bob Cowles
provider would want to use name constraints ... is that what you meant in the later part of the sentence above?
I think this would only work if the issuer had the name constraint in its certificate. See http://www.ietf.org/rfc/rfc3280.txt, bottom of p 36 4.2.1.11 Name Constraints The name constraints extension, which MUST be used only in a CA certificate, ... So if they provided a sub CA for you, then maybe. Otherwise no. I expect that the number of certs involved is too low for "yes". (I still think name constraints is supported so poorly, it will remain unusable for a few years except in closed pkis.) There are a number of large subordinate CA projects provided by verisign to certain large academic institutions; there the answer might well be yes. But I don't know and have no easy way of finding out.
participants (2)
-
Cowles, Robert D. -
Mike Helm