[Freeipa-devel] CA name constrains
Simo Sorce
simo at redhat.com
Wed Feb 27 13:16:49 UTC 2013
On Wed, 2013-02-27 at 13:55 +0100, Petr Spacek wrote:
> Hello list,
>
> during our last meeting with Simo we discussed support for name constraint
> extension in CA certificates and clients.
>
> The Name Constraints Extensions is defined here:
> http://tools.ietf.org/html/rfc5280#section-4.2.1.10
>
> Following article could be interesting for you if you like longer stories:
> "Mozilla changes policy to limit risk of subordinate CA certificate abuse"
> Author: Lucian Constantin 19.02.2013 kl 21:50
> http://news.idg.no/cw/art.cfm?id=8C9E7CFA-0E65-24B0-1539C891C8F4C09B
>
> If I remember correctly, questions were mainly about support on client side
> and about implications for older clients.
I had a chat with Kai Engert (in CC) at DevConf.cz about this, we'll try
to work on this as time permits.
NSS seem to support this extension but so far we do not have tests
covering it apparently.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list