Name constraints

[Michael Helm <helm@xxxxxxxxxxxx>]

... or the lack of support for them (rfc 2459 4.2.1.11)

I recently "had occasion" to try out name contraints and
their support in various revisions of the popular web
browsers, and results are certainly disappointing.

Let "NC" stand for some text along the lines of, "a certificate
that chains to a CA signing certificate that has a name constraints
extension set according to rfc 2459 4.2.1.11, marked critical"

Netscape communicator 4.x rejects connection with an NC, saying that
it has an unknown critical extension.   Disappointing, given that
rfc 2459 is approaching its 3rd birthday.

IE 5.5 connected  fine with the NC ; but it displays it as a blob.

Netscape 6.x connect with the NC, and in successive revisions display
or manage the certificate a little better each rev.  However, they still 
don't translate the 2.5.29.30 OID into anything sensible, leaving it
as hex data.

IE 6 connects with the NC fine, and displays a sensible translation of the
name constraint info.

Just for kicks, openssl-096b doesn't translate this OID into anything
readable either (don't see any sign of name constraint support
in the source).

Note that I haven't had time to generate some bogus certificates (out
of conformance with name constraints) to test actual compliance.
But the poor translation behavior by the browsers doesn't inspire
a lot of confidence.

Is this extension dead?