Discuss this help topic in SecureBlackbox Forum
TElNameConstraintsExtension is a descendant of TElCustomExtension class.
Description
This extension MUST be used only in a CA
certificates. It indicates a name space within which all subject names in
subsequent certificates in a certification path shall be located.
Restrictions may apply to the subject distinguished name or subject
alternative names. Restrictions apply only when the specified name
form is present. If no name of the type is in the certificate, the
certificate is acceptable.
The following paragraph is taken from RFC 2459 (Housley, et. al.), part 4.2.1.3:
«
Restrictions are defined in terms of permitted or excluded name
subtrees. Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees. This extension MUST be critical.
Within this profile, the minimum and maximum fields are not used with
any name forms, thus minimum is always zero, and maximum is always
absent.
For URIs, the constraint applies to the host part of the name. The
constraint may specify a host or a domain. Examples would be
"foo.bar.com"; and ".xyz.com". When the constraint begins with
a period, it may be expanded with one or more subdomains. That is,
the constraint ".xyz.com" is satisfied by both abc.xyz.com and
abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied
by "xyz.com". When the constraint does not begin with a period, it
specifies a host.
A name constraint for Internet mail addresses may specify a
particular mailbox, all addresses at a particular host, or all
mailboxes in a domain. To indicate a particular mailbox, the
constraint is the complete mail address. For example, "root@xyz.com"
indicates the root mailbox on the host "xyz.com". To indicate all
Internet mail addresses on a particular host, the constraint is
specified as the host name. For example, the constraint "xyz.com" is
satisfied by any mail address at the host "xyz.com". To specify any
address within a domain, the constraint is specified with a leading
period (as with URIs). For example, ".xyz.com" indicates all the
Internet mail addresses in the domain "xyz.com", but Internet mail
addresses on the host "xyz.com".
DNS name restrictions are expressed as foo.bar.com. Any subdomain
satisfies the name constraint. For example, www.foo.bar.com would
satisfy the constraint but bigfoo.bar.com would not.
Legacy implementations exist where an RFC 822 name is embedded in the
subject distinguished name in an attribute of type EmailAddress...
When rfc822 names are constrained, but the certificate
does not include a subject alternative name, the rfc822 name
constraint MUST be applied to the attribute of type EmailAddress in
the subject distinguished name.
Restrictions of the form directoryName MUST be applied to the subject
field in the certificate and to the subjectAltName extensions of type
directoryName. Restrictions of the form x400Address MUST be applied
to subjectAltName extensions of type x400Address.
When applying restrictions of the form directoryName, an
implementation MUST compare DN attributes... CAs issuing certificates
with a restriction of the
form directoryName SHOULD NOT rely on implementation of the full ISO
DN name comparison algorithm. This implies name restrictions shall
be stated identically to the encoding used in the subject field or
subjectAltName extension.
For IPv4
addresses, the ipAddress field of generalName MUST contain eight (8)
octets, encoded in the style of RFC 1519 (CIDR) to represent an
address range.[RFC 1519] For IPv6 addresses, the ipAddress field
MUST contain 32 octets similarly encoded. For example, a name
constraint for "class C" subnet 10.9.8.0 shall be represented as the
octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation
10.9.8.0/255.255.255.0.»
Inherited from TElCustomExtension
.NET: