[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX Part I - Name Constraints

To: Warwick Ford <wford@xxxxxxxxxxxx>
Subject: Re: PKIX Part I - Name Constraints
From: Russ Housley <housley@xxxxxxxxxx>
Date: Mon, 15 Sep 1997 10:34:25 -0400
Cc: ietf-pkix@xxxxxxxxxx
In-reply-to: <>

At 08:07 PM 9/13/97 -0400, Warwick Ford wrote:
>>2.  To deal with the exception that you propose, we need to add a
>>dependency between rfc822 alt names and X.500 Distinguished Names.  I do
>>not like this if we can avoide it.
>
>RFC822 names in altnames are not impacted.  They are treated exactly as in
>the standard.  In fact, nothing related to the standard is impacted.  What
>I am proposing is simply one additional rule that PKIX imposes, which is a
>perfectly reasonable thing for a profile to do.  If there is an RFC822 name
>constraint in force, we just impose one further check on the Subject field.
> Very straightforward to implement (if you are already implementing name
>constraint logic).
>
>Without this rule, I believe that many early Name Constraints
>implementations will have a major loophole.  I think it is a PKIX
>obligation to provide the rules to secure the migration from the old ways
>to the new ways.

I would like to encourage the fastest possible migration to the use of alt
names.  And, I agree that we need to accomodate fielded solutions during
that transition.

In addition to changes in the name constraints section, a forward pointer
should probably be added to section 4.1.2.6 too.

Do you have proposed text?

Russ

References:
- Re: PKIX Part I - Name Constraints
  - From: Warwick Ford

Prev by Date: Re: Policy Contraints Object Identifier
Next by Date: RE: PKIX Part I - Name Constraints
Previous by thread: Re: PKIX Part I - Name Constraints
Next by thread: Re: PKIX Part I - Name Constraints
Index(es):
- Date
- Thread