[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Name constraints

To: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Subject: Re: Name constraints
From: Michael Helm <helm@xxxxxxxxxxxx>
Date: Thu, 20 Dec 2001 09:35:33 -0800
Cc: ietf-pkix@xxxxxxx
In-reply-to: Your message of "Thu, 20 Dec 2001 10:14:00 EST." <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: helm@xxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Housley, Russ" writes:
> Part of the slow implementation may be related to the fact that CAs are not 
> required to support name constraints.  I think that this is appropriate 

Curiously, the ca software I was using for this test is from one 
of those browser implementors.  Support decisions are
probably done on completely different bases!

> Son-of-2459 continues to include name constraints.    It says:
> 
>     At a minimum, applications conforming to this profile MUST recognize
>     4.2.1.7), basic constraints (section 4.2.1.10), name constraints
>     (section 4.2.1.11), policy constraints (section 4.2.1.12), extended

It does seem to be safe to say that at least some of the browser
revs can't meet this profile spec.

References:
- Re: Name constraints
  - From: Housley, Russ

Prev by Date: I-D ACTION:draft-ietf-pkix-rfc2511bis-04.txt
Next by Date: Re: pkcs #6
Previous by thread: Re: Name constraints
Next by thread: DoD's smart card program
Index(es):
- Date
- Thread