[caops-wg] Requirements and rationale for Relying Party Defined Namespace Constraints (signing_policy file)
David Chadwick
d.w.chadwick at kent.ac.uk
Tue Mar 4 09:43:14 CST 2008
Mike Helm wrote:
> David Chadwick writes:
>> Hi Mike
>>
>> there is more to it than what you propose, and this is the second point
>> I make ie. whether 2 different users can be given the same DN or not by
>> different CAs (we assume that the same CA will be competent enough to
>> not do that). If the answer is yes, then your whole infrastructure is
>> broken. If the answer is no, then the sentence below should be changed
>
> Well, in the long long ago, the signing policy was in fact designed
> for just this situation: CA A & CA B both certify subject name
> X. Relying party has to decide which one of these versions of X
> it is willing to trust (or both or neither).
>
> We don't allow this problem to exist in IGTF accredited CAs by
> policy.
A very sensible policy.
regards
David
And it is generally agreed that such collisions are so
> undesirable that this policy is not controversial. There is
> nothing that can be done about non-accredited CAs (such as government
> or commercial CAs for instance), altho many of them constrain
> their namespaces adequately so as not to be a problem.
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list