Standard X.509 v3 Certificate Extensions
Netscape Recommendation
Netscape recommends using this extension in OCSP responder signing certificates.
The validity period should be short enough to minimize the potential impact of a
compromised OCSP responder signing key to your organization.
Microsoft Recommendation
Microsoft products do not currently use online status checking.
policyConstraints
OID
2.5.29.36
References
http://www.ietf.org/rfc/rfc2459.txt
Criticality
This extension may be critical or noncritical.
Discussion
This extension, which is for CA certificates only, constrains path validation in two
ways. It can be used to prohibit policy mapping or to require that each certificate in
a path contain an acceptable policy identifier.
PKIX requires that, if present, this extension must never consist of a null sequence.
At least one of the two available fields must be present.
CMS Version Support
Refer to "PolicyConstraintsExt Plug-in Module" on page 221.
•
CMS 4.1: Not supported
•
CMS 4.2: Supported
•
CMS 4.2-SP2: Supported
•
CMS 4.5: Supported
•
CMS 6.0: Supported
Netscape Recommendations
Netscape products do not currently examine this extension.
Microsoft Recommendations
Microsoft products do not currently examine this extension.
352
Netscape Certificate Management System Plug-Ins Guide • March 2002
4.2.1.12
Need help?
Do you have a question about the NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN and is the answer not in the manual?