[Standards] wildcards in XMPP certs

Shumon Huque shuque at isc.upenn.edu
Thu Jul 17 04:11:19 UTC 2008


On Wed, Jul 16, 2008 at 10:28:45AM -0600, Peter Saint-Andre wrote:
> Scrap that idea. I was right the first time. RFC 5280 says:
> 
>    The name constraints extension, which MUST be used only in a CA
>    certificate, indicates a name space within which all subject names in
>    subsequent certificates in a certification path MUST be located.
> 
> Oh well, it was a pleasant notion while it lasted. All of 15 minutes or 
> so. ;)

Right :-)

Only for CA certificates. If I'm operating a CA that only issues
certificates for names in the upenn.edu name space (including 
SRVName name types), then it might be appropriate for the CA
certificate to include a 'upenn.edu' name constraint extension.
It might even make it more likely for other people to use that
CA certificate as a trust anchor since they could be assured that
this CA can only issue certificates for upenn.edu names, and not
start issuing certs for microsoft.com or some other unrelated entity. 
This of course assumes that certificate validation software is correctly
processing and applying the name constraint, which might be a big
assumption!

--Shumon.



More information about the Standards mailing list