Re: Policy Contraints Object Identifier

[John Lowry <jlowry@xxxxxxx>]

Peter,

The obvious choice in a friendly merger is to cross-certify ...

Just as our corporations have merged and (we expect) become stonger,
so too will the PKI offering.  

So a reasonable approach is to cross-certify and then
let the name of one of the CA's expire gracefully.

Regards,

John Lowry

Principal Engineer
GTE Internetworking
BBN Technologies


At 02:55 PM 9/11/97 -0700, Peter Williams wrote:
>>
>> >Thanks,
>> >Jean Duffy
>> >
>> >GTE Internetworking
>> >Powered by BBN
>
>
>I know BBN an GTE have been off and on friends for years; but
>its still a little sad for us Internet types to see any diminishment
>of the BBN name!
>
>Corporate mergers of this sort are, of course, common.
>
>Lets say BBN has issued 50,000 certs to employees, and GTE corporate
>dictum now wanted to change everyone over to [a-z]*@bbn.gte.com. (I
>do not know if they do or do not.)
>
>Obviously one way to do it is to revoke and reissue all certs (and
>handle 50,000 tokens if token-based).
>
>Another way is to revoke the BBN CA(s), and start again with
>new trust points.
>
>How would PKIX technology migrate folk intelligently? A policy mapping, or
>name mapping in a renewed BBN CA certificate, perhaps?
>
>This is a fun topic, after all the recent fuss. It will
>not be long before someone has to deal with precisely
>this scenario.
>
>