[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX Part I - Name Constraints

To: Russ Housley <housley@xxxxxxxxxx>
Subject: Re: PKIX Part I - Name Constraints
From: Warwick Ford <wford@xxxxxxxxxxxx>
Date: Sat, 13 Sep 1997 20:07:53 -0400
Cc: ietf-pkix@xxxxxxxxxx

Russ:

At 08:56 PM 9/11/97 -0400, Russ Housley wrote:
>1.  I would like to encourage the use of alt names.  In my mind, they are
>highly preferable to the alternatives.  I'm sure you agree.

I do.

>2.  To deal with the exception that you propose, we need to add a
>dependency between rfc822 alt names and X.500 Distinguished Names.  I do
>not like this if we can avoide it.

RFC822 names in altnames are not impacted.  They are treated exactly as in
the standard.  In fact, nothing related to the standard is impacted.  What
I am proposing is simply one additional rule that PKIX imposes, which is a
perfectly reasonable thing for a profile to do.  If there is an RFC822 name
constraint in force, we just impose one further check on the Subject field.
 Very straightforward to implement (if you are already implementing name
constraint logic).

Without this rule, I believe that many early Name Constraints
implementations will have a major loophole.  I think it is a PKIX
obligation to provide the rules to secure the migration from the old ways
to the new ways.

Warwick


>Russ
>
>At 05:44 PM 9/11/97 -0400, Warwick Ford wrote:
>>I wish to propose a minor addition to 4.2.1.11 (Name Constraints) of PKIX
>>Part I.  
>>
>>Regarding RFC822Name, the most common way to convey an e-mail address today
>>is as a PKCS#9 e-mail attribute in the subject DN.  Migration to
>>subjectAltNames will undoubtedly occcur in time, and the profile correctly
>>covers that future.  However, to ensure that the intent of Name Constraints
>>is met given current styles of naming, I propose that we additionally state
>>that "Restrictions for the rfc822 name form shall also apply to any
>>instance of the PKCS#9 E-mail Name attribute type present in a subject DN."
>>
>>Warwick
>>
>>---------------------------------------------------------------------
>>Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
>>   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
>>---------------------------------------------------------------------
>> 
>>
>
>
---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------

Follow-Ups:
- Re: PKIX Part I - Name Constraints
  - From: Russ Housley

Prev by Date: Re: Policy Contraints Object Identifier
Next by Date: RE: resolution
Previous by thread: Re: PKIX Part I - Name Constraints
Next by thread: Re: PKIX Part I - Name Constraints
Index(es):
- Date
- Thread