[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: charter revisions

To: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>
Subject: Re: charter revisions
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Wed, 05 Sep 2001 17:38:25 -0400
Cc: Bob Jueneman <bjueneman@xxxxxxxxxx>, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Sun Microsystems, Inc.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Hallam-Baker, Phillip" wrote:
> > Name constraints allow you to limit the "bad things" that happen. You
> > can trust MIT to certify MIT affiliates without worrying about whether
> > they might issue a certificate claiming to be for George W. Bush.
> 
> No you can't.
> 
> You can prevent someone from issuing a certificate that claims to
> be for C=US; O=Government; OU=EOP; CN=George W Bush.
> 
> What you can't do is to stop someone from issuing a subjectAltName
> for potus@xxxxxxxxxxx

Use a name constraint with permitted subtrees of:
 rfc822Name:mit.edu

-Steve

References:
- RE: charter revisions
  - From: Hallam-Baker, Phillip

Prev by Date: Re: charter revisions
Next by Date: Re: charter revisions
Previous by thread: RE: charter revisions
Next by thread: I-D ACTION:draft-ietf-pkix-pkalgs-supp-00.txt
Index(es):
- Date
- Thread