* Simon McVittie <[email protected]>, 2014-06-17, 13:20:
It should be possible to make a CA certificate that is only considered to be valid for the spi-inc.org and debian.org subtrees, and then trust the assertion that SPI control that certificate - but in widely-used applications, that isn't possible.
In theory, the Name Constraints extension should allow one to achieve what you said:
http://tools.ietf.org/html/rfc5280#section-4.2.1.10 No idea how well it is supported, though. -- Jakub Wilk -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
