[caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Sun Oct 9 17:53:35 CDT 2005
> >>>>>> Do I understand correctly that you are suggesting that a
> >>>>>> CA's namespace file can include rules for all of its
> >>>>>> subordinates? (These seems to be what your example implies.)
> >>>>>> I actually think I like this idea, see next comment.
> >>>>>
> >>>>> That's indeed what I meant. It would enable new subordinates to
> >>>>> "glide in" without intervention from the admin, as long as they
> >>>>> stay within the namespace assigned for subordinates.
You all might want to look into a sort of movement that seems to exist in some
PKIX members. I've picked up some microsoft certs recently that seem to have
AIA extensions that jump around missing links in the trust chain
(between the end entity cert you have, and the trusted issuer pre-installed
in your cert store). Somewhere I have read a justification / method for
this but have lost track. But there is at least one example of another variant
in a current draft in the IETF PKIX WG:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-03.txt
More information about the caops-wg
mailing list