questions about name constraints extension

[Michael Leahy <Michael.Leahy@xxxxxxxxx>]

Hi

I have looking at the NameConstraint extension and I would like some clarification on whether my examples are correct or incorrect. I also have a few questions/thoughts that I like some comments on

Example 1:
permittedSubTrees = { base: c=ie, o=isocor,  Maximum 2 }

does this mean that "c=ie, o=isocor, cn=XXXXX" is *invalid* (because it's not on the permitted List) while anything in the form "c=ie, o=isocor, ou=YYYYY, cn=XXXXX" is valid  (Maximum 2 making it valid)

Example 2:
excludedSubTrees = { base: c=ie, o=isocor, ou=Purchasing,  Minimum 2 }

does this mean that "c=ie, o=isocor, ou=Purchasing, cn=XXXXX" is not allowed (identified by the excluded list)  while "c=ie, o=isocor, ou=Purchasing, ou1=YYYYY, cn=XXXXX" is ok because it's not identified.

Some more questions:
1) Is it safe to assume that an entry on the PermittedSubTree would *not* use the Minimum value (the default is zero so ignore it) ?   

IMHO the CA should not use the Minimum value on the PermittedSubTree - The only reason I think they might want to use it - would be to ensure that the CA would/could only issue subject names within a certain range. But if they want to do that they should be *explicit* and add the suitable value to the ExcludedSubTree 

Is this a valid assumption ?

2) Is it safe to assume that the ExcludedSubTree would not use the Maximum value. My logic here would be the base name specifies the starting excluded name while the Minumum value effectively bounds the name space by saying beyond this level we are fine

excludedSubTrees = { base: c=ie, o=isocor, ou=Purchasing,  Minimum 2}

Regards
Michael Leahy
ISOCOR