[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 3280bis: CRL validation

To: "Stephen Kent" <kent@xxxxxxx>, "Sharon Boeyen" <sharon.boeyen@xxxxxxxxxxx>
Subject: RE: 3280bis: CRL validation
From: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Date: Tue, 14 Jun 2005 11:52:58 +0100
Cc: "Denis Pinkas" <Denis.Pinkas@xxxxxxxx>, "David A. Cooper" <david.cooper@xxxxxxxx>, "pkix" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcVod4VyQHfrchl+RS62DKzJBLLxuAIVwMyg
Thread-topic: 3280bis: CRL validation

Steve,

I agree with your conclusion.
We must assume legitimate DN reuse in our model, not only for end
entities but also for CAs.

In many cases CA's will attest that a name is correct, but not
necessarily that it is unique.

/Stefan
 

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Stephen Kent
> Sent: den 3 juni 2005 19:53
> To: Sharon Boeyen
> Cc: 'Denis Pinkas'; David A. Cooper; pkix
> Subject: RE: 3280bis: CRL validation
> 
> 
> Sharon,
> 
> I agree that the X.500 model of naming assumes unambiguous names and
> that X.509, inherits this model. However, in reality,  we do not have
> a global DIT and thus there are no good assurances that CAs operating
> in different contexts will not issue certs to different entities
> using the same subject DN. As a result, I think we have to develop
> standards guidance that acknowledges the potential of DN reuse under
> different CAs.
> 
> Steve

Prev by Date: Re: Defining an SRV RR Other name in pkix
Next by Date: RE: Defining an SRV RR Other name in pkix
Previous by thread: RE: 3280bis: CRL validation
Next by thread: 3280bis: key usage (13)
Index(es):
- Date
- Thread