[caops-wg] Name Constraints - attempt at framing issues
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Oct 14 10:11:09 CDT 2005
Bob
the issue is about global naming. You used a globally unique email
address in the certificate when you posed the question, so I said yes.
If on the other hand you had just put Brett in the cert then of course I
would not expect this to always name the same person.
regards
David
Cowles, Robert D. wrote:
> There are lots of people named David ... should they
> all be the same person? Maybe they *should*, but
> that doesn't make it so. As a relying party, without
> a MUST and a reasonable way to implement it with
> good controls, I won't count on it. I'm a bit leery
> that the CA can ever perform the simpler job, but I can
> mitigate that risk by making the users register and
> if they want to use a new certificate they have to
> register the new one and say it replaces or is to
> be used as a synonym the old one .... not that I
> *automatically* the two certificates belong to the
> same EE.
>
> BC
>
>
>>-----Original Message-----
>>From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
>>Sent: Friday, October 14, 2005 7:22 AM
>>To: Cowles, Robert D.
>>Cc: Von Welch; CAOPS-WG
>>Subject: Re: [caops-wg] Name Constraints - attempt at framing issues
>>
>>
>>
>>Cowles, Robert D. wrote:
>>
>>>
>>
>>>I really have trouble believing that anyone would believe
>>>that brett or even brett at isp.net if identified by a certificate
>>>from CA1 would have any relationship to the same name appearing
>>>in acertificate from CA2.
>>
>>Dear Bob
>>
>>I am one of those who think they should refer to the same entity.
>>
>>David
>>
>> (In the case of the "email-like" address
>>
>>>it depends on (1) the security of the email system ... for instance
>>>mindspring doesn't have a secure IMAP or POP option so I've just
>>>been sitting thru a conference where a few people's passwords are
>>>broadcast on the wireless network in clear text every 10-15 minutes
>>>... (2) the policy of the isp about reuse of ids ... if the user
>>>with the email name brett leaves, can I have that id now?
>>>
>>>Bob
>>>
>>>
>>
>>--
>>
>>*****************************************************************
>>David W. Chadwick, BSc PhD
>>Professor of Information Systems Security
>>The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>>Tel: +44 1227 82 3221
>>Fax +44 1227 762 811
>>Mobile: +44 77 96 44 7184
>>Email: D.W.Chadwick at kent.ac.uk
>>Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>Research Web site: http://sec.cs.kent.ac.uk
>>Entrust key validation string: MLJ9-DU5T-HV8J
>>PGP Key ID is 0xBC238DE5
>>
>>*****************************************************************
>>
>
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list