Balint Balogh wrote:
Hello
In general, this cannot be done. It is possible to put "name constraints"
on CAs that are subordinate to a root CA, but not generally on root CAs.
I was afraid of getting an answer like this but thanks for replying anyway. :)
This is the general problem PKIX and cross certificates are supposed to
solve.
In the PKIX model you would create a new intermediate with the same
subject and keys as the root cert you want to trust. You would then add
constraint extenstions to the intermediate to limit what name spaces it
can use (and what policies it can issue). That allows you to extend
limitted trust to other certificate domains.
PKIX is currently planned for NSS 3.12, so won't be available in any
mozilla based products this year.
bob
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
