On Oct 14, 2005, at 11:21 AM, Von Welch wrote:
The reason why we are discussing Name Constraints is that they are a way to express the limitations of that trust.
I agree with this point of view. It is not actually far from that expressed by David Chadwick (although I have some reservations about some of the points about time of day restrictions, etc.), and is close to the "real world" issue: if you have verified your identity enough to be allowed access to a building, for example, you may not be allowed into the more restricted areas of that building without stronger proof: a physical key, or passcode, etc. At any given level of entry, the security measure you use may not apply to earlier levels of entry, even though it is "stronger" than what got you in initially. I still think we need a proposal for an authentication profile that is built ahead of time to fit the idea that further trust might be established through the authorization framework, i.e. by name constraints, etc., as a further measure beyond initial authentication. This would be a different profile than the ones that we have on the books to date, although some ideas from using it might trickle back to the original ones. Alan ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================