Yup, specifically 3280 says that a issuer, as represented by its DN will
guarantee unique serial numbers within its scope and issue within its
scope non-ambiguous subject DNs (e.g. no dupes).
-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf(_at_)mit(_dot_)edu]
Sent: Friday, April 06, 2007 1:14 PM
To: Nicolas Williams
Cc: Bernard Aboba; ietf(_at_)ietf(_dot_)org; emu(_at_)ietf(_dot_)org
Subject: [Emu] Re: Last call
comments:draft-williams-on-channel-binding-01.txt: EAP channel bindings
"Nicolas" == Nicolas Williams <Nicolas(_dot_)Williams(_at_)sun(_dot_)com>
writes:
Nicolas> Also, I think my draft's definition of "end-point channel
Nicolas> bidning" needs to be tightened just a bit: not only must
Nicolas> the end-point IDs be cryptographically bound into the
Nicolas> channel, it must also be the case that the IDs
Nicolas> meaningfully identify the channel end-points -- that is,
Nicolas> that one nodes cannot assert the same ID as another
Nicolas> without sharing credentials with it. I think my text
Nicolas> implies this but does not make it sufficiently explicit.
Be careful. A DN given a trust anchor seems like a find end-point
identifier. However two nodes can share the same DN without sharing
the same credential. Under 3280 rules either the CA issued a
certificate it should not have issued or the two nodes are the same
subject. That's strong enough for the channel binding to be useful
even though the nodes may not share a credential.
_______________________________________________
Emu mailing list
Emu(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/emu
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf