[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
excluding all distinguished names in NameConstraints
- To: ietf-pkix@xxxxxxx
- Subject: excluding all distinguished names in NameConstraints
- From: Anne Anderson <aha@xxxxxxxxxxxx>
- Date: Tue, 15 Feb 2000 14:36:44 -0500 (EST)
If I want to create a certificate that will not allow the Subject to
issue valid certificates for non-null CertificateSubjectNames or for
SubjectAlternativeNames of type directoryName (ASN.1 "Name"), what
should be in the NameConstraintsExtension?
If I create an excluded GeneralSubtrees containing a name of type
directoryName, then the name must encompass all directoryNames, and
I don't see how that is possible. An ASN.1 Name is a "SEQUENCE OF"
(i.e. at least 1) RelativeDistinguishedName, so I would have to
specify at least one RelativeDistinguishedName. That means
specifying at least one AttributeType. I have now excluded all
DistinguishedNames of that type, but have not excluded others.
If I create a permitted GeneralSubtrees containing no names of type
directoryName, then by definition all names of type directoryName
are permitted unless they are specifically excluded. If I try to
specify a permitted directoryName GeneralSubtrees, then it must
contain at least one RDN containing at least one AttributeType, so
that directoryName type will be permitted.
The only solution I can see is to define a bogus AttributeType and
create a permitted GeneralSubtrees containing a directoryName
containing that AttributeType.
Is there a better way? For all GeneralName types, it is possible to
create a name with the correct type but an empty value since they
are strings or SEQUENCE (not SEQUENCE OF).
Anne
--
Anne H. Anderson Email: aha@acm.org
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692