In message <F12ECEA0435AD211B5280008C7ACBC85016B419C@BIGIRON> on Thu, 30 May 2002 10:52:16 +1200, Franck Martin <[EMAIL PROTECTED]> said:
Franck> I would like to know if it is possible to issue a certificate that Franck> contains a rule that specify that it can sign other certificates only if Franck> the domain is a sub-domain of a specified domain. Franck> Franck> For instance A would issue a certificate to B with a critical extention Franck> (*.sopac.org|*@sopac.org) that would allow B to sign certificates only Franck> for use in sub-domains, eg: www.sopac.org, [EMAIL PROTECTED], Franck> [EMAIL PROTECTED],... but not www.othersopac.org, Franck> www.mycompany.com Franck> Franck> If it does not exist then we are missing something important... RFC 3280 (http://www.imc.org/rfc3280), section 4.2.1.11 (Name Constraints). Unfortunately, I don't currently know how this translates to the OpenSSL configuration file or if OpenSSL handles it at all... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
