On Tue, Jun 17, 2014 at 02:34:27PM +0200, Jakub Wilk wrote: > * Simon McVittie <s...@debian.org>, 2014-06-17, 13:20: > >It should be possible to make a CA certificate that is only considered to > >be valid for the spi-inc.org and debian.org subtrees, and then trust the > >assertion that SPI control that certificate - but in widely-used > >applications, that isn't possible. > > In theory, the Name Constraints extension should allow one to achieve what > you said: > http://tools.ietf.org/html/rfc5280#section-4.2.1.10 > No idea how well it is supported, though.
This should be supported by all libraries, and is being used. More and more intermediate CAs are in the process of becomming constrained. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140617190021.ga16...@roeckx.be
