[Freeipa-devel] Multiple CA certificates in LDAP, questions
Nalin Dahyabhai
nalin at redhat.com
Mon Sep 9 20:54:00 UTC 2013
On Mon, Sep 09, 2013 at 01:07:09PM -0700, Henry B. Hotz wrote:
> On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> > On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote:
> >> Good point. Isn't there an X509 extension (possibly part of PKIX?) which
> >> restricts membership in the chain path to a criteria. In other words you
> >> can require your sub-CA to be present in the chain. Sorry, but my memory
> >> is a bit fuzzy on this.
> >
> > If you're talking about Name Constraints, they seem to be geared more
> > toward allowing a CA to limit what a sub CA that it issues can be
> > trusted to do, and not the other way around.
>
> Aren't the implementations of name constrains generally buggy, and therefore not usable in real life?
Yes, ISTR hearing that library support for them was not as widespread as
I'd have hoped.
There's also the secondary problem that the standards don't specify how
to express Name Constraints on AnotherName values, for example Kerberos
principal names. Though it's possible I just haven't found where that
was done.
Cheers,
Nalin
More information about the Freeipa-devel
mailing list