[caops-wg] Name Constraints - attempt at framing issues

[David Chadwick]

Cowles, Robert D. wrote:
>>the issue is about global naming. You used a globally unique email 
>>address in the certificate when you posed the question, so I 
>>said yes. 
>>If on the other hand you had just put Brett in the cert then 
>>of course I 
>>would not expect this to always name the same person.
>>
> 
> 
> 
> But how can you believe that brett at isp.com is globally unique
> over time when companies like Verisign will resell "isp.com" 
> almost immediately when it becomes available?

Thats a very good point. Clearly its globally unique, but the fact that 
a unique name might belong to two different people at different points 
in time is an issue that directories have struggled with as well. The 
concept of "zombies" was introduced by directories to deal with this, a 
zombie being a dead name that no longer existed, but had existed in the 
past and therefore could not be reissued to anyone until a certain 
(application configurable) time period had expired. But this would put 
extra load and responsibility on a CA, and as we all know, the 
commercial CAs write their CPSs so that they can remove as much 
liability as possible from themselves, even putting the liability back 
onto the RPs and EEs as much as they can. Ultimately it boils down to a 
CA's procedures and policies, and this dictates how Trustworthy they are

regards

David



> 
> BC
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************