[Ejbca-develop] nameConstraints extension support in EJBCA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Not sure if I'm reading this correctly, but does EJBCA have support
for issuing/understanding certificates with the nameConstraints (OID
2.5.29.30) extension in them, so it can only issue certificates that
conform to the constraint?  I don't see any reference to this
constraint in its documentation.

I did find an old e-mail that seems to indicate that PrimeKey does
NOT recommend this extension:

http://osdir.com/ml/java.ejbca.devel/2006-02/msg00092.html

Unfortunately, because of all the problems recently with CAs being
compromised, TTP CAs are now planning to enforce the use of this
extension to limit their liability.  However, the CA software must
be able to support the use of the constraint and check all CSRs to
see if the constraint is satisfied before issuing the certificate.
I'm unable to find anything in EJBCA docs that indicate this is
supported; can someone please provide some clarification?  Thanks.

Arshad Noor
StrongAuth, Inc.