Mike Helm wrote:
David Chadwick writes:
Hi Mike
there is more to it than what you propose, and this is the second point I make ie. whether 2 different users can be given the same DN or not by different CAs (we assume that the same CA will be competent enough to not do that). If the answer is yes, then your whole infrastructure is broken. If the answer is no, then the sentence below should be changed
Well, in the long long ago, the signing policy was in fact designed for just this situation: CA A & CA B both certify subject name X. Relying party has to decide which one of these versions of X it is willing to trust (or both or neither).
We don't allow this problem to exist in IGTF accredited CAs by policy.
A very sensible policy. regards David And it is generally agreed that such collisions are so
undesirable that this policy is not controversial. There is nothing that can be done about non-accredited CAs (such as government or commercial CAs for instance), altho many of them constrain their namespaces adequately so as not to be a problem.
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************