Re: [Ejbca-develop] nameConstraints extension support in EJBCA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I was a little hasty; I should have clarified that since the
constraint allows for more than one permitted sub-tree, there
will be other permitted sub-tree besides the one for which the
certificate-issuance is allowed.

Arshad Noor
StrongAuth, Inc.

On 05/25/2012 09:33 AM, Arshad Noor wrote:
>
> For example, a browser checks the subjectAltName extension for the
> FQDN and matches it up with the FQDN of the web-site it is connected
> to.  If they do not match, you get the proverbial warnings.  Since the
> use of SAN is universal for server SSL certificates, what would it
> matter if the nameConstraint had a completely different FQDN in the
> permitted sub-tree (as long as the site and the SAN FQDN matched?
>