Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Wed Oct 12 13:33:27 CDT 2005
David Chadwick writes:
> this is a very interesting viewpoint. What you are saying, if I put it
> another way, is that everyone can have a completely random name, its
> irrelevant what it actually is, as long as the user can authenticate to
> that name (via signing something whose signature validates with the
> certificate containing that name) and then as long as the authorisation
> infrastructure can reliably get the set of attributes that are bound to
> the same name, then correct authorisation can be performed, regardless
> of the name of the user. In which case name constraints are irrelevant.
> I would agree with that
That's pretty much it.
In practice, people (=relying party representatives, say) usually want
something meaningful in the name at least for "people" certs.
Most people recognize now that this is not
sufficient to identify a particular person but it humanizes the certs.
Perhaps this makes the workflow a little more efficient for everyone.
More information about the caops-wg
mailing list