RE: Name constraints

["Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxx>]

IE uses the OS for certificate validation. The first MS OS to support
Name Constraints is Window XP. If you repeat the test using IE 6 on XP,
you will get different results to IE6 on down-level MS OS's. FYI,
Windows XP also fully implements Certificate policy, policy constraints
and policy mapping.

Trevor

-----Original Message-----
From: Michael Helm [mailto:helm@xxxxxxxxxxxx] 
Sent: Thursday, December 20, 2001 9:36 AM
To: Housley, Russ
Cc: ietf-pkix@xxxxxxx
Subject: Re: Name constraints 



"Housley, Russ" writes:
> Part of the slow implementation may be related to the fact that CAs 
> are not
> required to support name constraints.  I think that this is
appropriate 

Curiously, the ca software I was using for this test is from one 
of those browser implementors.  Support decisions are
probably done on completely different bases!

> Son-of-2459 continues to include name constraints.    It says:
> 
>     At a minimum, applications conforming to this profile MUST
recognize
>     4.2.1.7), basic constraints (section 4.2.1.10), name constraints
>     (section 4.2.1.11), policy constraints (section 4.2.1.12), 
> extended

It does seem to be safe to say that at least some of the browser revs
can't meet this profile spec.