On Wed, Apr 27, 2011 at 6:42 AM, Jean-Marc Desperrier <jmd...@gmail.com> wrote: > Jean-Marc Desperrier wrote: >> >> Johan Sys wrote: >>> >>> [...] >>> We did some tests with name constraints with positive results: >>> SubCA with name constraint as follows : >>> Permitted >>> [1]Subtrees (0..Max): >>> DNS Name=.goodcompany.globalsign >>> Excluded=None >>> >>> Issued cert www.goodcompany.globalsign passes. Anything else in CN or >>> SAN, including hostname and IP addresses gives the expected >>> ‘The Certifying Authority for this certificate is not permitted to >>> issue a certificate with this name. >>> (Error code: sec_error_cert_not_in_name_space)’ in Firefox. >> >> I'm very surprised actually. I thought bug 479393 / 651246 (use libpkix >> for all certificate validation) was needed for this to work properly. >> >> Will forward this to mozilla.dev.tech.crypto to get some info about how >> it can work.
The "classic" certificate verification functions in NSS support name constraints. It is not necessary to use libpkix. The only recent change in this area is https://bugzilla.mozilla.org/show_bug.cgi?id=394919, fixed in NSS 3.12.7. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
