> For some reason (probably industry collusion), X.509 Name Constraints […]
For anyone curious, see RFC 5280 § 4.2.1.10:
The name constraints extension, which MUST be used only in a CA
certificate, indicates a name space within which all subject names in
subsequent certificates in a certification path MUST be located.
Restrictions apply to the subject distinguished name and apply to
subject alternative names. Restrictions apply only when the
specified name form is present. If no name of the type is in the
certificate, the certificate is acceptable.
Client support exists in OpenSSL 1.0.0, Windows 7, Mac OS 10.13.3, iOS 11.2.6. (Android?)
I think one technical 'loophole' is that while NCs apply explicitly to SANs, per the spec they do not apply to the Common Name. Though quickly skimming the RFC, I do not see anything that would prohibit them being applied to the CN. So you can probably do it under the guise of "undefined behaviour".
For anyone curious, see RFC 5280 § 4.2.1.10:
* https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10* https://www.alvestrand.no/objectid/2.5.29.30.html
Client support exists in OpenSSL 1.0.0, Windows 7, Mac OS 10.13.3, iOS 11.2.6. (Android?)
I think one technical 'loophole' is that while NCs apply explicitly to SANs, per the spec they do not apply to the Common Name. Though quickly skimming the RFC, I do not see anything that would prohibit them being applied to the CN. So you can probably do it under the guise of "undefined behaviour".