Name Constraints, was Re: [caops-wg] Re: ca signing policy file
David Chadwick
d.w.chadwick at kent.ac.uk
Thu Oct 13 04:39:03 CDT 2005
Robert
perhaps the real question is, do you change your authorisation rights
more or less frequently than your identifier. If more frequently, then
it does not really matter if your identifier changes every year or two
since you can change your authorisation rights to match the new
identifier when it comes active. But if your authorisation rights are
much longer lived than your identifier, then it becomes a pain to have
to change these as well. However, in this case I would suggest that your
authorisation rights are wrapped into the PKC, say in the
subjectDirectoryAttributes extension, then they would carry over to the
new identifier.
regards
David
Cowles, Robert D. wrote:
> The obvious choice for the "identifier" is the public
> key. The drawback is that it would be good to change
> the keypair more often than you change identity.
>
> Can you explain name collisions cannot occur?
>
> BC
>
>
>>-----Original Message-----
>>From: Frank Siebenlist [mailto:franks at mcs.anl.gov]
>
> ...
>
>>When you say "name collisions", you must be referring to either
>>compromised CAs or errors as name collisions should not occur...
>>
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list