[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

To: "Cowles, Robert D." <rdc@xxxxxxxxxxxxxxxxx>
Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date: Thu, 13 Oct 2005 10:39:03 +0100
Cc: Frank Siebenlist <franks@xxxxxxxxxxx>, helm@xxxxxxxxxxxx,Von Welch <vwelch@xxxxxxxxxxxxx>, "Tony J. Genovese" <tony@xxxxxx>,CAOPS-WG <caops-wg@xxxxxxx>, Olle Mulmo <mulmo@xxxxxxxxxx>,Joni Hahkala <joni.hahkala@xxxxxxx>, Jules Wolfrat <wolfrat@xxxxxxx>,Ron Trompert <ron@xxxxxxx>
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
In-reply-to: <A34E01EABE96174A81D754F98FC574E8016738D0@exch-mail4.win.slac.stanford.edu>
Organization: University of Kent
References: <A34E01EABE96174A81D754F98FC574E8016738D0@exch-mail4.win.slac.stanford.edu>
Sender: owner-caops-wg@xxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Robert

perhaps the real question is, do you change your authorisation rights more or less frequently than your identifier. If more frequently, then it does not really matter if your identifier changes every year or two since you can change your authorisation rights to match the new identifier when it comes active. But if your authorisation rights are much longer lived than your identifier, then it becomes a pain to have to change these as well. However, in this case I would suggest that your authorisation rights are wrapped into the PKC, say in the subjectDirectoryAttributes extension, then they would carry over to the new identifier.

regards

David

Cowles, Robert D. wrote:

The obvious choice for the "identifier" is the public
key.  The drawback  is that it would be good to change
the keypair more often than you change identity.

Can you explain name collisions cannot occur?

BC
-----Original Message-----
From: Frank Siebenlist [mailto:franks@mcs.anl.gov]
...
When you say "name collisions", you must be referring to either compromised CAs or errors as name collisions should not occur...

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

References:
- RE: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
  - From: Cowles, Robert D.

Prev by Date: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by Date: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Previous by thread: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by thread: RE: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Index(es):
- Date
- Thread