Cowles, Robert D. wrote:
But such "ageeemwnts" are just a way of encoding the CA in the random number.
That is the "technical" solution. I was more referring to the policy agreement that if CA-1 issues some uuid to me, that CA-2 will not issue that same number to you.
What about number portability? If I have a number from CA-1 are you saying I can't take that cert to CA-2 and get a certificate from them?
Ough... you're implementing already ;-) I guess that you "are" your uuid after it is issued by the initial CA, so other CAs should probably be able to issue certificates that bind that same uuid to other keys after they are assured that it has the same key-holder associated with it. Being able to limit the number of CAs that can do that through some form of enforced policy constraints is one of the main issues of this discussion... -Frank.
-----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov]
...
This means that when you allow multiple CAs to issue random numbers as names for subjects, those CAs should have some agreement that none of their fellow CAs should issue the same random number to a different person/entity. There are some technical solutions that could help to prevent collisions, but the main issue is one of policy conformance.
-Frank.
-- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory