[caops-wg] Requirements and rationale for Relying Party Defined Namespace Constraints (signing_policy file)
Mike Helm
helm at fionn.es.net
Mon Mar 3 01:15:50 CST 2008
David Chadwick writes:
> Hi Mike
>
> there is more to it than what you propose, and this is the second point
> I make ie. whether 2 different users can be given the same DN or not by
> different CAs (we assume that the same CA will be competent enough to
> not do that). If the answer is yes, then your whole infrastructure is
> broken. If the answer is no, then the sentence below should be changed
Well, in the long long ago, the signing policy was in fact designed
for just this situation: CA A & CA B both certify subject name
X. Relying party has to decide which one of these versions of X
it is willing to trust (or both or neither).
We don't allow this problem to exist in IGTF accredited CAs by
policy. And it is generally agreed that such collisions are so
undesirable that this policy is not controversial. There is
nothing that can be done about non-accredited CAs (such as government
or commercial CAs for instance), altho many of them constrain
their namespaces adequately so as not to be a problem.
More information about the caops-wg
mailing list