RE: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
The obvious choice for the "identifier" is the public key. The drawback is that it would be good to change the keypair more often than you change identity. Can you explain name collisions cannot occur? BC
-----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov] ...
When you say "name collisions", you must be referring to either compromised CAs or errors as name collisions should not occur...
Cowles, Robert D. wrote:
The obvious choice for the "identifier" is the public key. The drawback is that it would be good to change the keypair more often than you change identity.
:-)
Can you explain name collisions cannot occur?
Careful... I said "should", not "cannot"... CA's are supposed to "know" not to overstep their issuing boundaries through secret handshakes and such. -Frank.
-----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov]
...
When you say "name collisions", you must be referring to either compromised CAs or errors as name collisions should not occur...
-- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
Typo... try again:
Can you explain name collisions cannot occur?
Careful... I said "should not", not "cannot"... CA's are supposed to "know" not to overstep their issuing boundaries through secret handshakes and such. This means that when you allow multiple CAs to issue random numbers as names for subjects, those CAs should have some agreement that none of their fellow CAs should issue the same random number to a different person/entity. There are some technical solutions that could help to prevent collisions, but the main issue is one of policy conformance. -Frank. Frank Siebenlist wrote:
Cowles, Robert D. wrote:
The obvious choice for the "identifier" is the public key. The drawback is that it would be good to change the keypair more often than you change identity.
:-)
Can you explain name collisions cannot occur?
Careful... I said "should", not "cannot"...
CA's are supposed to "know" not to overstep their issuing boundaries through secret handshakes and such.
-Frank.
-----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov] ...
When you say "name collisions", you must be referring to either compromised CAs or errors as name collisions should not occur...
-- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
Robert perhaps the real question is, do you change your authorisation rights more or less frequently than your identifier. If more frequently, then it does not really matter if your identifier changes every year or two since you can change your authorisation rights to match the new identifier when it comes active. But if your authorisation rights are much longer lived than your identifier, then it becomes a pain to have to change these as well. However, in this case I would suggest that your authorisation rights are wrapped into the PKC, say in the subjectDirectoryAttributes extension, then they would carry over to the new identifier. regards David Cowles, Robert D. wrote:
The obvious choice for the "identifier" is the public key. The drawback is that it would be good to change the keypair more often than you change identity.
Can you explain name collisions cannot occur?
BC
-----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov]
...
When you say "name collisions", you must be referring to either compromised CAs or errors as name collisions should not occur...
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
participants (3)
-
Cowles, Robert D. -
David Chadwick -
Frank Siebenlist