Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

[Frank Siebenlist <franks@xxxxxxxxxxx>]

Typo... try again:

> Can you explain name collisions cannot occur?  
Careful... I said "should not", not "cannot"...

CA's are supposed to "know" not to overstep their issuing boundaries 
through secret handshakes and such.

This means that when you allow multiple CAs to issue random numbers as 
names for subjects, those CAs should have some agreement that none of 
their fellow CAs should issue the same random number to a different 
person/entity. There are some technical solutions that could help to 
prevent collisions, but the main issue is one of policy conformance.

-Frank.



Frank Siebenlist wrote:
> Cowles, Robert D. wrote:
> > The obvious choice for the "identifier" is the public
> > key.  The drawback  is that it would be good to change
> > the keypair more often than you change identity.
> >   
> :-)
>
> > Can you explain name collisions cannot occur?
> >   
> Careful... I said "should", not "cannot"...
>
> CA's are supposed to "know" not to overstep their issuing boundaries 
> through secret handshakes and such.
>
> -Frank.
>
>
>
> > > -----Original Message-----
> > > From: Frank Siebenlist [mailto:franks@mcs.anl.gov]     
> > ...
> >  
> > > When you say "name collisions", you must be referring to either 
> > > compromised CAs or errors as name collisions should not occur...
> > >
> > >     
> >   
--
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory