Jean-Marc Desperrier wrote:
Johan Sys wrote:
[...]
We did some tests with name constraints with positive results:
SubCA with name constraint as follows :
Permitted
[1]Subtrees (0..Max):
DNS Name=.goodcompany.globalsign
Excluded=None
Issued cert www.goodcompany.globalsign passes. Anything else in CN or
SAN, including hostname and IP addresses gives the expected
‘The Certifying Authority for this certificate is not permitted to
issue a certificate with this name.
(Error code: sec_error_cert_not_in_name_space)’ in Firefox.
I'm very surprised actually. I thought bug 479393 / 651246 (use libpkix
for all certificate validation) was needed for this to work properly.
Will forward this to mozilla.dev.tech.crypto to get some info about how
it can work.
But I forgot to do it. Done now.
IE and Chrome also respect the constraints. We would need todo more
tests with other clients.
Well if works with Safari and Opera, it's good to go. And I have
reasonnable hope (Safari uses AppleX509TP, that has a quite complete
pkix implementation, the Opera implementation is not bad also).
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
