Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Wed Oct 12 13:41:09 CDT 2005
"Cowles, Robert D." writes:
> that the middleware includes a check of the CA when it compares
> on DN, then what you say is correct.
This is one of the essential problems with this service that
has never been addressed as far as I know. name constraints
"be" an incomplete barrier.
BTW, we have found this omission _useful_ in our past.
We switched from a test, development lab CA (DOE Science Grid) to a production
quality CA (doegrids), and we used this property to ease subscribers'
transition to the new CA. Lesson? Overlapping name spaces
might be useful!
More information about the caops-wg
mailing list