Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Mike Helm
helm at fionn.es.net
Thu Oct 13 13:39:50 CDT 2005
Frank Siebenlist writes:
> Are you suggesting that we should keep the CA always with the DN for all
> the authorization decisions?
> (Essentially pushing the policy enforcement of name+CA to the
> authorization stage and throwing-in the towel as far as the pkix/x509
> global-naming dream is concerned...)
Yes. To all.
As DC mentioned there is available to us a global naming strategy.
It is not perfect and it has some side effects, but it can at least
reduce some of the human confusion.
However, you still have to include the issuer in any decision, because
you have to have some assurance that the binding was legitimate.
We don't yet (won't ever?) have an a priori way of knowing that.
> If not, or maybe not, or sometimes not, should we move to a model where
> the CAs remain in the authorization picture and asserted names should
> always be considered in the context of the issuer?
I think this is the safer of the 2 choices you offered.
More information about the caops-wg
mailing list