There are lots of people named David ... should they all be the same person? Maybe they *should*, but that doesn't make it so. As a relying party, without a MUST and a reasonable way to implement it with good controls, I won't count on it. I'm a bit leery that the CA can ever perform the simpler job, but I can mitigate that risk by making the users register and if they want to use a new certificate they have to register the new one and say it replaces or is to be used as a synonym the old one .... not that I *automatically* the two certificates belong to the same EE. BC
-----Original Message----- From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk] Sent: Friday, October 14, 2005 7:22 AM To: Cowles, Robert D. Cc: Von Welch; CAOPS-WG Subject: Re: [caops-wg] Name Constraints - attempt at framing issues
Cowles, Robert D. wrote:
I really have trouble believing that anyone would believe that brett or even brett@isp.net if identified by a certificate from CA1 would have any relationship to the same name appearing in acertificate from CA2.
Dear Bob
I am one of those who think they should refer to the same entity.
David
(In the case of the "email-like" address
it depends on (1) the security of the email system ... for instance mindspring doesn't have a secure IMAP or POP option so I've just been sitting thru a conference where a few people's passwords are broadcast on the wireless network in clear text every 10-15 minutes ... (2) the policy of the isp about reuse of ids ... if the user with the email name brett leaves, can I have that id now?
Bob
--
***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************