[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New other certs extension I-D
Title: Re: New other certs extension
I-D
Stephen,
I did a quick read of the I-D and I do have a concern. The
text says:
When this
extension is present the CA is asserting that the same end entity is
the subject of the relevant certificates. Mechanisms for how this
assertion is validated by the CA or used by consumers of the
certificate are out of scope of this memo.
I agree that the CA's actions re validation may be outside the
scope of a document like this. However, we might say that CA is
expected to have acted in accordance with any CP cited in the new
cert, and performed whatever validation called for in the CPS for the
CA.
I am less sanguine about being silent re what the client (RP) is
expected to to do based on these links. That creates a dangerous
ambiguity. Since there were some examples provided to motivate this
extension, I think you should use those as a starting point to
describe what you think a client will do, based on this extension.
Also, is issuer name and serial # the best linkage to use, given that
we know that CA names are not globally unique?
Steve