[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: WG Last Call: Son-of-2459

To: "'Stephen Kent'" <kent@xxxxxxx>
Subject: RE: WG Last Call: Son-of-2459
From: David Cross <dcross@xxxxxxxxxxxxx>
Date: Tue, 6 Mar 2001 15:04:23 -0800
Cc: ietf-pkix@xxxxxxx

Steve:

->Anyway, since it is clear that not all folks will issue cross certs 
as I suggested, I have to admit to liking the fallback position of 
allowing specification of name constraints as part of the validation 
procedure, on a per trust anchor basis. The main argument I've seen 
is the one that questions whether this should be a user configurable 
parameter, or an administrative parameter, or whether this is a MAY 
(vs. SHOULD/MUST), which allows vendors to ignore the facility 
entirely.

I would strongly disagree against allowing name constraints to be a user
configurable parameter.  This defeats the administrative value and assurance
that name constraints provide.

David B. Cross

Follow-Ups:
- Last Call: Son-of-2459 e-mail addresses in Subject
  - From: Anders Rundgren

Prev by Date: RE: I-D ACTION:draft-ietf-pkix-rfc2510bis-03.txt (and rfc2511bis- 01.txt)
Next by Date: RE: WG Last Call: Son-of-2459
Previous by thread: RE: WG Last Call: Son-of-2459
Next by thread: Last Call: Son-of-2459 e-mail addresses in Subject
Index(es):
- Date
- Thread