[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

To: helm@xxxxxxxxxxxx
Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
From: Matt Crawford <crawdad@xxxxxxxx>
Date: Thu, 13 Oct 2005 08:46:22 -0500
Cc: CAOPS-WG <caops-wg@xxxxxxx>
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
In-reply-to: <200510121841.j9CIf9CR027030@fionn.es.net>
References: <200510121841.j9CIf9CR027030@fionn.es.net>
Sender: owner-caops-wg@xxxxxxx

On Oct 12, 2005, at 13:41, Mike Helm wrote:

We switched from a test, development lab CA (DOE Science Grid) to a production
quality CA (doegrids), and we used this property to ease subscribers'
transition to the new CA. Lesson? Overlapping name spaces might be useful!

Overlapping namespaces considered harmful --

The two CAs were not of equal "quality" (security and assurance level). The existing mechanisms did not enable a service to authorize subjects from the better CA to a different level than subjects from the inferior CA. (Unless one of those levels was "zero.")

Follow-Ups:
- Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
  - From: Mike Helm

References:
- Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
  - From: Mike Helm

Prev by Date: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by Date: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Previous by thread: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by thread: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Index(es):
- Date
- Thread