Name constraints questions

[william.bamberg@xxxxxxxxxxx]

I'd be very grateful if someone could answer a couple of questions I have 
concerning the interpretation of the section of RFC 2459 which discusses 
name constraints (section 4.2.1.11).

My original understanding of name constraints was that for each of the possible 
name forms, we have a name in a certificate being constrained, and a constraint,
*of the same form*, being applied. This is reinforced by the statement that 
'Restrictions apply only when the specified name form is present'.

If the name being constrained is a URI, section 4.2.1.7 of RFC 2459 says 
that the URI must 'include a fully qualified domain name or IP Address as 
the host'. 

Can I safely assume that this domain name/IP address will be represented 
according to RFC 1738, section 3.1 (Common Internet Scheme Syntax)? If so, 
is there a reason why the spec does not say so (or even, specify that the 
whole URI should be in the form described in RFC 1738 section 3.1), and if 
not, how else might it be represented? 

Going back to section 4.2.1.11, it says that 'For URIs, the constraint 
applies to the host part of the name. The contraint may specify a host or a 
domain', and gives examples of constraints as 'foo.bar.com' and '.xyz.com'. 

These examples are obviously not URIs represented as per RFC 1738; they 
look a lot more like DNS names. Can I taken this to mean that constraints 
on URIs should be represented as DNS names as per RFC 1034 section 3.5 
(preferred name syntax) or IP address subnet masks as per RFC 1519 (though 
it says nothing at all about the latter here)? Again, if so, is there a reason 
why the spec doesn't say so, and if not, what are the possibilities for their 
representation?

Sorry if this stuff sounds really picky, but I'm keen to get it right. 

Thanks very much for any help

Will