Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Von Welch
vwelch at ncsa.uiuc.edu
Tue Oct 11 21:31:42 CDT 2005
Sorry Tony, I was unclear.
I meant to say that unless NameConstraints are adopted by CAs in
general (which probably means both "Grid CAs" as well as all the
various software packages our communities use to generate
certificates), we still need something like current ca signing
policies (i.e. relying party-specified name constraints).
I was mainly stating that support by openssl for name constraints is
a step in the right direction, I didn't see it changing this need.
Von
On Oct 11, 2005, at 6:00 PM, Tony J. Genovese wrote:
>> My take is also that it wouldn't be prudent, even with these
>> advances in NameConstraints adoption, to assume they remove
>> the need for RP- specified policies such as this document
>> describes. That would require adoption by CAs in general.
>>
>
> The RP specific policies sound like a reasonable feature. I am not
> clear on
> the statement about adoption by CAs in General... All the CAs
> working on
> Grids are organized and have to modify and change policies over
> time, so
> what new policy needs to be defined? The reason to present the
> paper here is
> that you want us to change, so are you saying some changes are
> easier for us
> or that we will not make the NameConstraint change? Though support
> for it
> does not seem to answer all your issues.
>
>
>
>
>
More information about the caops-wg
mailing list