[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: Son-of-2459

To: Steve Hanna <steve.hanna@xxxxxxx>
Subject: Re: WG Last Call: Son-of-2459
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 2 Mar 2001 16:39:26 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <><> <>

Steve,

I agree with most of the comments you have made re revisions to 2459, but I do disagree with the discussion if name constraints and its use in the validation algorithm. I think that name constraints are critically important in PKIs that make extensive use of cross certification. Yet, as you note, they are no commonly used so far. I think that making provision to associate name constraints with trust anchors is a good way to let users (or administrators) locally manage the concerns that this extension addresses, without having to persuade CAs to issue cross certs with such constraints. In fact, I was persuaded to drop my proposal for local issuance of such cross certs because of the inclusion of this facility as a control measure on the validation process.

This will become more than a local implementation issue, as we continue with the DPV/DPD work. My current draft of the message syntax for requests calls for inclusion of name constraints as a validation control parameter, a protocol feature motivated by the notion that name constraints would become a standard part of the validation algorithm.

Steve

Follow-Ups:
- Re: WG Last Call: Son-of-2459
  - From: Steve Hanna

References:
- WG Last Call: Son-of-2459
  - From: Tim Polk
- Re: WG Last Call: Son-of-2459
  - From: Denis Pinkas
- Re: WG Last Call: Son-of-2459
  - From: Steve Hanna

Prev by Date: Re: Open Issue in Part1: path length constraints
Next by Date: Re: Open Issue in Part1: path length constraints
Previous by thread: Re: WG Last Call: Son-of-2459
Next by thread: Re: WG Last Call: Son-of-2459
Index(es):
- Date
- Thread