Name Constraints, was Re: [caops-wg] Re: ca signing policy file

Mike Helm helm at fionn.es.net
Thu Oct 13 13:01:19 CDT 2005 

David Chadwick writes:
> this shows what a crap service Thawte are offering. Basically they will 
> link any name to any public key, so the binding is worthless. YOu might 
> as well issue your own self signed certificate.

No I think this is both a misrepresntation and a misunderstanding of what
Thawte WOT does, which should be looked into on its own account.
Their process is at least as rigorous as the stronger Grid  European CAs.
But I'm not interested in following that up - anyone interested can
research their process for themselves.

> Also I dont have a problem with two CAs issuing me with certs containing 
> the same DN, in fact I would want them to. What I have an issue with is 
> a CA issuing my name in someone else's cert. This shows that the CA is 
> not authenticating the right to use the name.

Sorry, but you're not the only David Chadwick on the planet.  I don't 
happen to know any others, but I am confident we can turn one up. 
411.org shows a few in CA, for example.
I worked in a group in LBL that had 3 people with the same first and last
name, completely unrelated; a group of about 25 people.   Focusing on 
names is a rathole.

> BTW, the use of an email address is a perfectly good globally unique DN, 
> and its pretty easy to prove ownership of it. This is how Verisign issue 
> their certs. They send a secret to the mail box of the user.

I can agree with that; we proposed a system like that in late 2001 for
our Grid users.  Rejected.  We have brought it up at other times, but people have 
raised the issue of spam address harvesting because of the public
nature of the certificates. 

BTW, basing a system on email addresses remains quite problematic.  We get
about 10 email bounces a week from the certificate lifecycle service of our CA.
I have tried to push the issue of revoking these certificates, and it 
never flies in our PMA.  And for good reason - there are many ways for
email to fail.   It took 6 months or more to sort out an argument between
one mail service, which was ruthlessly enforcing certain DNS rules, and
another, which had carelessly configured their domain and MX rules
(mistakenly, but a common configuration).    The scientists and the 
CA were stuck in between.

More information about the caops-wg mailing list