Hi,

While I'm implementing the proxy tracing extension for java, I would like to also put in the to and from restrictions at the same time. Could we get OIDs for them too? Like

1.2.840.113612.5.5.1.1.2 Proxy Certificate source and target restrcitions
1.2.840.113612.5.5.1.1.2.1 Proxy certificate from restriction
1.2.840.113612.5.5.1.1.2.2 Proxy certificate to restriction

Format would be either GeneralNames as used in "4.2.1.10.  Name Constraints" in RFC 5280, the latest certificate rfc.

http://www.ietf.org/rfc/rfc5280.txt

Or the whole NameConstraints structure from it.

Do we need also the exclusion or does allowed addresses suffice? I guess we might put both in just in case, so the full NameConstraints structure?

My current plan would be to only support ipAddress to start with, that would mean ip address with a netmask.

For the tracing extension, I have implemented the URI field of GeneralName. For delegating to a service its easy and clear to put in the URL of the service. But for the source information in case it's the user client, it's a bit unclear what should be put in (if it's service as client, it's easy to put the service URL). Should we decide some kind of format to identify the client program and other info?

For example:
voms-client://lxplusclient.cern.ch/jhahkala

where the protocol identifies the client program used and the hostname the machine name/ip and the path the user account used. Of course the user account might not be something we should publish. It is a bit bad way of mangling the URI to something like this, but it could be useful...

Cheers,
Joni