Re: [caops-wg] Name Constraints - attempt at framing issues

[David Chadwick <d.w.chadwick@xxxxxxxxxx>]

Bob

the issue is about global naming. You used a globally unique email 
address in the certificate when you posed the question, so I said yes. 
If on the other hand you had just put Brett in the cert then of course I 
would not expect this to always name the same person.

regards

David

Cowles, Robert D. wrote:
> There are lots of people named David ... should they
> all be the same person?  Maybe they *should*, but
> that doesn't make it so.  As a relying party, without
> a MUST and a reasonable way to implement it with
> good controls, I won't count on it.  I'm a bit leery
> that the CA can ever perform the simpler job, but I can
> mitigate that risk by making the users register and
> if they want to use a new certificate they have to
> register the new one and say it replaces or is to 
> be used as a synonym the old one .... not that I 
> *automatically* the two certificates belong to the
> same EE.
>
> BC
>
>
> > -----Original Message-----
> > From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk] 
> > Sent: Friday, October 14, 2005 7:22 AM
> > To: Cowles, Robert D.
> > Cc: Von Welch; CAOPS-WG
> > Subject: Re: [caops-wg] Name Constraints - attempt at framing issues
> >
> >
> >
> > Cowles, Robert D. wrote:
> >
> > >
> > > I really have trouble believing that anyone would believe
> > > that brett or even brett@isp.net if identified by a certificate
> > > from CA1 would have any relationship to the same name appearing 
> > > in acertificate from CA2.
> > Dear Bob
> >
> > I am one of those who think they should refer to the same entity.
> >
> > David
> >
> >  (In the case of the "email-like" address
> >
> > > it depends on (1) the security of the email system ... for instance
> > > mindspring doesn't have a secure IMAP or POP option so I've just
> > > been sitting thru a conference where a few people's passwords are
> > > broadcast on the wireless network in clear text every 10-15 minutes
> > > ... (2) the policy of the isp about reuse of ids ... if the user 
> > > with the email name brett leaves, can I have that id now?
> > >
> > > Bob
> > --
> >
> > *****************************************************************
> > David W. Chadwick, BSc PhD
> > Professor of Information Systems Security
> > The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> > Tel: +44 1227 82 3221
> > Fax +44 1227 762 811
> > Mobile: +44 77 96 44 7184
> > Email: D.W.Chadwick@kent.ac.uk
> > Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> > Research Web site: http://sec.cs.kent.ac.uk
> > Entrust key validation string: MLJ9-DU5T-HV8J
> > PGP Key ID is 0xBC238DE5
> >
> > *****************************************************************
--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************