[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Policy Contraints Object Identifier

To: jduffy@xxxxxxx, peter@xxxxxxxxxxxx
Subject: Re: Policy Contraints Object Identifier
From: Mike Smith <mfsmith@xxxxxxxxxxxxx>
Date: Fri, 12 Sep 1997 08:31:05 -0600
Cc: ietf-pkix@xxxxxxxxxx

Policy mapping would imply re-issuance to get the new mappings onto the required certs.  I believe this is a classic case for cross certification for each (BBN and GTE) authority, recognizing the root public key as a CA in their own hierarchy (if they have a hierarchy) or chain (web) of trust.

Michael

>>> Peter Williams <peter@verisign.com> 09/11/97 03:55PM >>>
>
> >Thanks,
> >Jean Duffy
> >
> >GTE Internetworking
> >Powered by BBN


I know BBN an GTE have been off and on friends for years; but
its still a little sad for us Internet types to see any diminishment
of the BBN name!

Corporate mergers of this sort are, of course, common.

Lets say BBN has issued 50,000 certs to employees, and GTE corporate
dictum now wanted to change everyone over to [a-z]*@bbn.gte.com. (I
do not know if they do or do not.)

Obviously one way to do it is to revoke and reissue all certs (and
handle 50,000 tokens if token-based).

Another way is to revoke the BBN CA(s), and start again with
new trust points.

How would PKIX technology migrate folk intelligently? A policy mapping, or
name mapping in a renewed BBN CA certificate, perhaps?

This is a fun topic, after all the recent fuss. It will
not be long before someone has to deal with precisely
this scenario.

Prev by Date: Re: Policy Contraints Object Identifier
Next by Date: Re: PKIX Part I - Name Constraints
Previous by thread: Re: Policy Contraints Object Identifier
Next by thread: Re: Policy Contraints Object Identifier
Index(es):
- Date
- Thread