[caops-wg] Name Constraints - attempt at framing issues
Cowles, Robert D.
rdc at slac.stanford.edu
Thu Oct 13 22:19:37 CDT 2005
> If CA1's key is also used to forge a certificate for Brett (even
> though this is outside what CA1 such be signing). Are we concerned
> about the additional threat that the forged Brett certificate could
> also be used by the entity that compromised CA1 to further
> compromise
> the relying party?
>
>
Thanks very much for the description.
I really have trouble believing that anyone would believe
that brett or even brett at isp.net if identified by a certificate
from CA1 would have any relationship to the same name appearing
in acertificate from CA2. (In the case of the "email-like" address
it depends on (1) the security of the email system ... for instance
mindspring doesn't have a secure IMAP or POP option so I've just
been sitting thru a conference where a few people's passwords are
broadcast on the wireless network in clear text every 10-15 minutes
... (2) the policy of the isp about reuse of ids ... if the user
with the email name brett leaves, can I have that id now?
Bob
More information about the caops-wg
mailing list