* Simon McVittie <s...@debian.org>, 2014-06-17, 13:20:
It should be possible to make a CA certificate that is only considered to be valid for the spi-inc.org and debian.org subtrees, and then trust the assertion that SPI control that certificate - but in widely-used applications, that isn't possible.
In theory, the Name Constraints extension should allow one to achieve what you said:
http://tools.ietf.org/html/rfc5280#section-4.2.1.10 No idea how well it is supported, though. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140617123427.ga5...@jwilk.net
