Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Frank Siebenlist
franks at mcs.anl.gov
Wed Oct 12 18:43:31 CDT 2005
Cowles, Robert D. wrote:
> But such "ageeemwnts" are just a way of encoding the CA in the
> random number.
That is the "technical" solution.
I was more referring to the policy agreement that if CA-1 issues some
uuid to me, that CA-2 will not issue that same number to you.
> What about number portability? If I have a
> number from CA-1 are you saying I can't take that cert to
> CA-2 and get a certificate from them?
>
Ough... you're implementing already ;-)
I guess that you "are" your uuid after it is issued by the initial CA,
so other CAs should probably be able to issue certificates that bind
that same uuid to other keys after they are assured that it has the same
key-holder associated with it.
Being able to limit the number of CAs that can do that through some form
of enforced policy constraints is one of the main issues of this
discussion...
-Frank.
>> -----Original Message-----
>> From: Frank Siebenlist [mailto:franks at mcs.anl.gov]
>>
> ...
>
>> This means that when you allow multiple CAs to issue random
>> numbers as
>> names for subjects, those CAs should have some agreement that none of
>> their fellow CAs should issue the same random number to a different
>> person/entity. There are some technical solutions that could help to
>> prevent collisions, but the main issue is one of policy conformance.
>>
>> -Frank.
>>
>
>
--
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
More information about the caops-wg
mailing list