[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: Son-of-2459

To: ietf-pkix@xxxxxxx
Subject: Re: WG Last Call: Son-of-2459
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Wed, 7 Mar 2001 12:09:57 +0100 (MET)

I think that I am in full support of Steve Hanna's point of
view about implementing path constraints just by using
"cross" certificats. 

If an administrator need to configure in a static way
the input constraints, then it seems sufficient to
me to do this via a standard method, i.e. by providing
a certificate. 

Denis wrote:

> I am a little bit puzzled with your suggestion. Usually a given application
> trusts an anchor to isssue names for some organizations. But another
> application may chooose to apply different rules. So this is not a pure
> decision from the CA, otherwise the application would have to evaluate these
> name constraints before accepting them. 

If the other application has different rules, then this is not the same
'trust anchor'. Or, the restriction of names inposed to some 'anchor' 
(if this is statique for the application)
can be expressed easily as a cross certificate 'against' that 'anchor'. 

> So I have difficulties to see how the original name contraints could be
> handled by using the cross certificates you mention. Whatever, this seems to
> be only a suggestion. :-)

This doesn't sound like a suggestion, it seems to me rather
a description of what can be done with the existing mechanisms.

Regards
Peter

Prev by Date: Last Call: Son-of-2459 e-mail addresses in Subject
Next by Date: Re: I-D ACTION:draft-ietf-pkix-rfc2510bis-03.txt (and rfc2511bis-01.txt)
Previous by thread: RE: WG Last Call: Son-of-2459
Next by thread: RE: WG Last Call: Son-of-2459
Index(es):
- Date
- Thread