Menu
▾
▴
Re: [Ejbca-develop] nameConstraints extension support in EJBCA
|
From: Tomas G. <to...@pr...> - 2012-05-25 06:58:37
|
Hi Arshad, Currently you can use custom extensions to implement name constraints. We have done that for customers. The main responsibility is for the client, when verifying the certificate chain, to reject certificate violating the constraints. The client implementations for this is currently not perfect, with different flaws on various platforms, as our testing shows. I'd expect this to work better and be more widely deployed in the future though. Cheers, Tomas On 05/24/2012 10:14 PM, Arshad Noor wrote: > Hi, > > Not sure if I'm reading this correctly, but does EJBCA have support > for issuing/understanding certificates with the nameConstraints (OID > 2.5.29.30) extension in them, so it can only issue certificates that > conform to the constraint? I don't see any reference to this > constraint in its documentation. > > I did find an old e-mail that seems to indicate that PrimeKey does > NOT recommend this extension: > > http://osdir.com/ml/java.ejbca.devel/2006-02/msg00092.html > > Unfortunately, because of all the problems recently with CAs being > compromised, TTP CAs are now planning to enforce the use of this > extension to limit their liability. However, the CA software must > be able to support the use of the constraint and check all CSRs to > see if the constraint is satisfied before issuing the certificate. > I'm unable to find anything in EJBCA docs that indicate this is > supported; can someone please provide some clarification? Thanks. > > Arshad Noor > StrongAuth, Inc. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
