Re: [pkix] How to enforce domain constraints on intermediate CA?
"Miller, Timothy J." <tmiller@mitre.org> Mon, 23 February 2015 15:29 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA0D1A1ADD for <pkix@ietfa.amsl.com>; Mon, 23 Feb 2015 07:29:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2503YubcPkX3 for <pkix@ietfa.amsl.com>; Mon, 23 Feb 2015 07:29:50 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) by ietfa.amsl.com (Postfix) with ESMTP id 881EA1A1AD0 for <pkix@ietf.org>; Mon, 23 Feb 2015 07:29:47 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1DF2D72E063; Mon, 23 Feb 2015 10:29:47 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpvbsrv1.mitre.org (Postfix) with ESMTP id 1531672E05A; Mon, 23 Feb 2015 10:29:47 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.185]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.03.0224.002; Mon, 23 Feb 2015 10:29:46 -0500
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "noloader@gmail.com" <noloader@gmail.com>, Santosh Chokhani <schokhani@cygnacom.com>
Thread-Topic: [pkix] How to enforce domain constraints on intermediate CA?
Thread-Index: AQHQTiB12hiH5ICD3kuq8J71D1q1qZz8IIEAgAAQ2oCAAiw5EA==
Date: Mon, 23 Feb 2015 15:29:46 +0000
Message-ID: <195DB2510AAA004391F58E28FCE212004621337A@IMCMBX01.MITRE.ORG>
References: <CAH8yC8nryWuiope0ftBS+kjpBp3bYbmM8KX0m0U1Ar+=qDj10g@mail.gmail.com> <a033c72fb6564fac877a2b6c8a510d93@svaexch1.cygnacom.com> <CAH8yC8nQ8o4DEmp2vR5NV-N-pD=QdxB8fVWN1Cn1+S8WWSAR5g@mail.gmail.com>
In-Reply-To: <CAH8yC8nQ8o4DEmp2vR5NV-N-pD=QdxB8fVWN1Cn1+S8WWSAR5g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.140.19.249]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/YcWY9vp3hshd8qirutpfzsWD2JM>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] How to enforce domain constraints on intermediate CA?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 15:29:57 -0000
FWIW, Microsoft Cert Services uses name constraints and other things in intermediate CA certs as part of "qualified subordination." -- T > -----Original Message----- > From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Jeffrey Walton > Sent: Saturday, February 21, 2015 7:14 PM > To: Santosh Chokhani > Cc: PKIX > Subject: Re: [pkix] How to enforce domain constraints on intermediate CA? > > On Sat, Feb 21, 2015 at 7:14 PM, Santosh Chokhani > <schokhani@cygnacom.com> wrote: > > I would think this can be done via using name constraints extension > > and asserting appropriate DNS name spaces > > Ah, thanks. I was looking for a policy object, and not an extension. > Sorry about that. > > Jeff > > > -----Original Message----- > > From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Jeffrey Walton > > Sent: Saturday, February 21, 2015 4:51 PM > > To: PKIX > > Subject: [pkix] How to enforce domain constraints on intermediate CA? > > > > I have an internal PKI, and I'm trying to figure out how to apply a policy that > constrains names to the one used internally. I've read through RFCs like 5280, > but its not clear to me how to do it. > > > > How does one apply a domain policy constraint to an intermediate CA > under PKIX? > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] How to enforce domain constraints on inter… Jeffrey Walton
- Re: [pkix] How to enforce domain constraints on i… Santosh Chokhani
- Re: [pkix] How to enforce domain constraints on i… Jeffrey Walton
- Re: [pkix] How to enforce domain constraints on i… Miller, Timothy J.