Sorry Tony, I was unclear. I meant to say that unless NameConstraints are adopted by CAs in general (which probably means both "Grid CAs" as well as all the various software packages our communities use to generate certificates), we still need something like current ca signing policies (i.e. relying party-specified name constraints). I was mainly stating that support by openssl for name constraints is a step in the right direction, I didn't see it changing this need. Von On Oct 11, 2005, at 6:00 PM, Tony J. Genovese wrote:
My take is also that it wouldn't be prudent, even with these advances in NameConstraints adoption, to assume they remove the need for RP- specified policies such as this document describes. That would require adoption by CAs in general.
The RP specific policies sound like a reasonable feature. I am not clear on the statement about adoption by CAs in General... All the CAs working on Grids are organized and have to modify and change policies over time, so what new policy needs to be defined? The reason to present the paper here is that you want us to change, so are you saying some changes are easier for us or that we will not make the NameConstraint change? Though support for it does not seem to answer all your issues.