[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: TR: Request change in son-of-rfc2633
> "Alberti Antoine" <aalberti@xxxxxxxxx> writes:
> Actually, I even wonder what guarantees that a iAndS is unique, ...
"Peter Gutmann" writes:
| Well, firstly, X.500 theology requires that you believe that
| all (CA) DNs are unique, and to even claim otherwise is
| treason punishable by limb reconstruction. In any case even
| if you do run into a situation where two CAs choose to use
| the same DN, the chance of the serial numbers (a 128-bit or
| 160- bit random hash value in most cases) matching as well
| are... slim.
And also hopefully we are all practicing safe root certificate use.
We are only installing trust roots for domains that conform to our
security policy - this including appropriate obeisance to X.500
theology on the assignment of DN's (and the issue of cross certs).
Of course with root certs being downloaded as part of operating
system updates, many of us may be relying on the os vendor to do