Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

[Von Welch <vwelch@xxxxxxxxxxxxx>]

Sorry Tony, I was unclear.

I meant to say that unless NameConstraints are adopted by CAs in  
general (which probably means both "Grid CAs" as well as all the  
various software packages our communities use to generate  
certificates), we still need something like current ca signing  
policies (i.e. relying party-specified name constraints).

I was mainly stating  that support by openssl for name constraints is  
a step in the right direction, I didn't see it changing this need.

Von

On Oct 11, 2005, at 6:00 PM, Tony J. Genovese wrote:

> > My take is also that it wouldn't be prudent, even with these
> > advances in NameConstraints adoption, to assume they remove
> > the need for RP- specified policies such as this document
> > describes. That would require adoption by CAs in general.
> The RP specific policies sound like a reasonable feature. I am not  
> clear on
> the statement about adoption by CAs in General... All the CAs  
> working on
> Grids are organized and have to modify and change policies over  
> time, so
> what new policy needs to be defined? The reason to present the  
> paper here is
> that you want us to change, so are you saying some changes are  
> easier for us
> or that we will not make the NameConstraint change? Though support  
> for it
> does not seem to answer all your issues.