[Freeipa-devel] Multiple CA certificates in LDAP, questions
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Sep 9 20:07:09 UTC 2013
Aren't the implementations of name constrains generally buggy, and therefore not usable in real life?
On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote:
>> Good point. Isn't there an X509 extension (possibly part of PKIX?) which
>> restricts membership in the chain path to a criteria. In other words you
>> can require your sub-CA to be present in the chain. Sorry, but my memory
>> is a bit fuzzy on this.
>
> If you're talking about Name Constraints, they seem to be geared more
> toward allowing a CA to limit what a sub CA that it issues can be
> trusted to do, and not the other way around.
>
> I don't think I know of anything that deals with this that doesn't
> eventually end up setting up library-specific configuration for the
> library that's going to be verifying the certificate.
>
> Nalin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Freeipa-devel
mailing list