Frank Hecker wrote:
> Of course using name constraints in the classic sense requires the
cooperation of the CA (since they have to add the extension to the CA
cert). I think Gerv was thinking of the more general case where for
policy reasons we might want to impose constraints on a CA even in the
case where there was no name constraints extension.
That is correct.
And (forgive my lack of knowledge here) is it possible that even if the
government of Lilliput were happy for their root cert to be restricted
in this way, they may not technically be able to reissue it with the
constraint built in? And even if they are technically able to, they may
not wish to.
I guess if the NSS code already has code to implement name constraints
anyway (i.e., keying off the extension) then it would be in theory
possible for the code to optionally act as if name constraints were in
effect even if they not specified in the CA cert itself. (E.g., the name
constraints information could be stored as metadata with the root CA.)
That sounds, to my untrained ear, like a reasonable implementation
strategy which would achieve the goal.
Gerv
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
