Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Frank Siebenlist
franks at mcs.anl.gov
Wed Oct 12 17:52:57 CDT 2005
Typo... try again:
> Can you explain name collisions cannot occur?
Careful... I said "should not", not "cannot"...
CA's are supposed to "know" not to overstep their issuing boundaries
through secret handshakes and such.
This means that when you allow multiple CAs to issue random numbers as
names for subjects, those CAs should have some agreement that none of
their fellow CAs should issue the same random number to a different
person/entity. There are some technical solutions that could help to
prevent collisions, but the main issue is one of policy conformance.
-Frank.
Frank Siebenlist wrote:
> Cowles, Robert D. wrote:
>> The obvious choice for the "identifier" is the public
>> key. The drawback is that it would be good to change
>> the keypair more often than you change identity.
>>
>
> :-)
>
>> Can you explain name collisions cannot occur?
>>
>
> Careful... I said "should", not "cannot"...
>
> CA's are supposed to "know" not to overstep their issuing boundaries
> through secret handshakes and such.
>
> -Frank.
>
>
>
>>> -----Original Message-----
>>> From: Frank Siebenlist [mailto:franks at mcs.anl.gov]
>> ...
>>
>>> When you say "name collisions", you must be referring to either
>>> compromised CAs or errors as name collisions should not occur...
>>>
>>>
>>
>>
>
--
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
More information about the caops-wg
mailing list