[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 certificate and its subject name field

To: kkonija@xxxxxxxxxxxx
Subject: Re: X.509 certificate and its subject name field
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 30 May 1997 17:43:55 -0400
Cc: ssl-talk@xxxxxxxxxxxx, ietf-pkix@xxxxxxxxxx
In-reply-to: <>
References: <> <><>

Kathy,

	Actually, both the Issuer and Subject DNs are supposed to be
globally unique, under the X.500 model.  However, in a world where not all
CAs are well coordinated and X.500 directory services are not ubiquitous,
one cannot be certain that EITHER will be unique.  Thus, in practice, it
may be necessary to qualify ACL entries based on the entire cert path used
to arrive at the Subject DN, or to impose constraints on the range of
Subject names that any CA is "trusted" to certify.  Remember, in a general
PKI, there may be multiple levels of CAs and so a careless (or malicious)
CA could create a subordinate CA that duplicated the DN or another "root"
CA.  V3 certs provide a facility to constrain the range of names that a CA
is authorized to certify, through the use of the permitted/excluded
subtrees facility in the NameConstraints extension.  A thorough
implementation of certificate validation will automatically enforce such
constraints.

Steve

References:
- Re: X.509 certificate and its subject name field
  - From: Stephen Kent
- Re: X.509 certificate and its subject name field
  - From: Stephen Kent
- Re: X.509 certificate and its subject name field
  - From: Shyh-Wei Luan
- Re: X.509 certificate and its subject name field
  - From: Kathy Konija

Prev by Date: Re: X.509 certificate and its subject name field
Next by Date: Re: X.509 certificate and its subject name field
Previous by thread: Re: X.509 certificate and its subject name field
Next by thread: Re: X.509 certificate and its subject name field
Index(es):
- Date
- Thread