[caops-wg] Name Constraints - attempt at framing issues
Von Welch
vwelch at ncsa.uiuc.edu
Thu Oct 13 21:16:00 CDT 2005
After reading through this long, interesting conversation, I would
like to suggest the following questions to frame this discussion. Von
1) What CAs do we wish to consider as potential issuers for our
community? Is it just "Grid CAs" (by that I mean CA we can reasonably
except to adhere to best practices as specified by GGF WGs) or do we
want to also consider CAs that we have no reasonable expectation of
being able to impact their policies or procedures (e.g. commercial
CAs) as potential issuers for our community as well?
2) Do we believe that during normal operation the CAs indicated in
the response to the first question have policy that will result in
their issuing globally unique names and will reliably follow that
policy?
3) If a CA is compromised, given currently implementations, this will
result in the compromise of all certificates issued by that CA. An
additional threat that a CA compromise would result in, is the
compromise of privileges bound to certificates issued by other CAs,
at relying parties that trust the compromised CA. Is this threat of
concern to us?
More information about the caops-wg
mailing list