[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: WG Last Call: Son-of-2459

To: <dcross@xxxxxxxxxxxxx>, <kent@xxxxxxx>
Subject: RE: WG Last Call: Son-of-2459
From: "Bob Jueneman" <bjueneman@xxxxxxxxxx>
Date: Wed, 07 Mar 2001 08:24:45 -0700
Cc: <ietf-pkix@xxxxxxx>

>Steve:
>
>->Anyway, since it is clear that not all folks will issue cross certs 
>as I suggested, I have to admit to liking the fallback position of 
>allowing specification of name constraints as part of the validation 
>procedure, on a per trust anchor basis. The main argument I've seen 
>is the one that questions whether this should be a user configurable 
>parameter, or an administrative parameter, or whether this is a MAY 
>(vs. SHOULD/MUST), which allows vendors to ignore the facility 
>entirely.
>
>I would strongly disagree against allowing name constraints to be a user
>configurable parameter.  This defeats the administrative value and assurance
>that name constraints provide.
>
>David B. Cross

David, I'm not sure that I understand your point.  Name constraints only 
constrain, they can't "unconstrain".  So if the user (or the MIS department)
can specify a name constraint as a configurable parameter, that can only
tighten the noose, not loosen it.

So how does this defeat the administrative value name constraints provide?
Maybe I'm missing something, but I've always liked the idea of the user 
acting as the root CA of last resort, since as the relying party it is the user,
and normally not some third-party CA, that has to make the decision as to 
whether or not to honor a digital signature and certificate chain.

I believe the same logic applies to policy OID constraints, by the way.

Bob

Prev by Date: Re: I-D ACTION:draft-ietf-pkix-rfc2510bis-03.txt (and rfc2511bis-01.txt)
Next by Date: Re: X.509, PKIX, and pathLenConstraint
Previous by thread: Re: WG Last Call: Son-of-2459
Next by thread: RE: WG Last Call: Son-of-2459
Index(es):
- Date
- Thread