Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Cowles, Robert D.
rdc at slac.stanford.edu
Sat Oct 15 19:11:01 CDT 2005
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Thursday, October 13, 2005 2:39 AM
...
>
> Robert
>
> perhaps the real question is, do you change your authorisation rights
> more or less frequently than your identifier. If more
> frequently, then
> it does not really matter if your identifier changes every
> year or two
> since you can change your authorisation rights to match the new
> identifier when it comes active. But if your authorisation rights are
> much longer lived than your identifier, then it becomes a
> pain to have
> to change these as well. However, in this case I would
> suggest that your
> authorisation rights are wrapped into the PKC, say in the
> subjectDirectoryAttributes extension, then they would carry
> over to the
> new identifier.
>
> regards
>
> David
In teresting point .. and that is precisely a problem
we have with Attribute Certificates and Proxy Certificate
renewal. I have been wondering if we can extend the allowed
lifetime of proxy certificates so long as we can revoke
their authorizaton to do anything.
BC
More information about the caops-wg
mailing list