Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Matt Crawford
crawdad at fnal.gov
Thu Oct 13 08:46:22 CDT 2005
On Oct 12, 2005, at 13:41, Mike Helm wrote:
> We switched from a test, development lab CA (DOE Science Grid) to a
> production
> quality CA (doegrids), and we used this property to ease subscribers'
> transition to the new CA. Lesson? Overlapping name spaces might
> be useful!
Overlapping namespaces considered harmful --
The two CAs were not of equal "quality" (security and assurance
level). The existing mechanisms did not enable a service to
authorize subjects from the better CA to a different level than
subjects from the inferior CA. (Unless one of those levels was "zero.")
More information about the caops-wg
mailing list