-----Original Message----- From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk] Sent: Friday, October 14, 2005 9:48 AM ... Cowles, Robert D. wrote:
The gridmapfile gives no clue as to CA or to VO.
Why do PKI *users* care about 2)?
They dont (except to know which CA to go to). Name constraints is a trust issue between CAs, they set the policies, and then the RPs enforce them when giving access to their resources. Of course an RP can ignore a CA's policy, and trust any cert it wanted to, but then it would be entirely responsible for any losses incurred.
regards David
Precisely .. it's between CA's. When I brought up the issue of signing policy several year ago it was in the context that we weren't telling the relying parties that the authentication mechanism relied on the signing policy file and in keeping the DN's for the CA's to be disjoint sets. A site could easily believe that another CA was entirely trustworthy in authenticating users (e. g. Verisign rather than Thawte) and not realize that if the set of DN's you could get Versign to issue overlapped with one of the other CA's then you no longer had viable authentication, eventhough all the Ca's were doing their job and you correctly described the certificates that could be trusted in the signing policy file. My point is that we always say it's up to the RP to put any CA in the list of trusted CA's but we weren't saying that the DN's MUST NOT overlap those from any other trusted CA.