Nelson B Bolyard wrote: > > SANs solve this whole problem. They have a component that may ONLY contain > DNS names, and therefore is easily constrained. DNS name constraints would > be effective if certs ONLY put DNS names into SANs. But putting DNS names > into SANs effectively bypasses name constraints (at least, in > implementations I tested last year).
Look at the server certificate here(*): https://edgecastcdn.net/ and SANs in it. The Server cert is from a 3-level CA hierarchy (Entrust on top, two intermediate CAs from DigiCert). How exactly are name constraints going to make issuing such certs easier or safer, and can you actually come up with a meaningful name constraints for such a cert? -Martin (*) Server cert example found here: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html recently mentioned on this list. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
