[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

To: Von Welch <vwelch@xxxxxxxxxxxxx>
Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date: Wed, 12 Oct 2005 14:35:56 +0100
Cc: helm@xxxxxxxxxxxx, Frank Siebenlist <franks@xxxxxxxxxxx>,"Tony J. Genovese" <tony@xxxxxx>, 'CAOPS-WG' <caops-wg@xxxxxxx>,'Olle Mulmo' <mulmo@xxxxxxxxxx>,'Joni Hahkala' <joni.hahkala@xxxxxxx>,'Jules Wolfrat' <wolfrat@xxxxxxx>, 'Ron Trompert' <ron@xxxxxxx>
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
In-reply-to: <14AEF291-777F-4C8D-8C4C-F602A50F0168@ncsa.uiuc.edu>
Organization: University of Kent
References: <200510111805.j9BI5hIr007502@fionn.es.net> <14AEF291-777F-4C8D-8C4C-F602A50F0168@ncsa.uiuc.edu>
Sender: owner-caops-wg@xxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)


Von Welch wrote:

My take is also that it wouldn't be prudent, even with these advances
 in NameConstraints adoption, to assume they remove the need for RP-
 specified policies such as this document describes. That would
require adoption by CAs in general.

Von

Agreed. Also given that the current 3280 semantics are Allow all except,
then you cant rely on the name constraints software to remove certs with different name forms to the ones you specify (and fact you can rely on it to accept them)

regards

David

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

References:
- Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
  - From: Mike Helm
- Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
  - From: Von Welch

Prev by Date: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by Date: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Previous by thread: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by thread: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Index(es):
- Date
- Thread