DN subordination


Ray,

        In a message last month you said " At this point, I am 
tempted to remove the DN subordination requirement
when checking certificates at this point..."  Please don't.  
Unless you are prepared to display complete certification paths 
for users, the name subordination requirement is necessary to 
prevent the last certificate in a chain from spoofing a user.  The 
reason that 1422 does not completely preclude non-subordinate 
certification by CAs is to allow the same infrastructure to be 
used for more than PEM.  Thus the name subordination requirement 
is enforced by UAs.

Steve

<Prev in Thread]	Current Thread	[Next in Thread>
DN subordination, Steve Kent <= Re: DN subordination, Raymond Lau Re: DN subordination, Steve Kent DN subordination, Steve Dusse DN subordination, Steve Dusse Re: DN subordination, Raymond Lau Re: DN subordination, Steve Kent

Previous by Date:	Re: CRLs Load with PCAs and CAs, Anish Bhimani
Next by Date:	Re: Corporate Identity and Authorization, Steve Kent
Previous by Thread:	Re: CRLs Load with PCAs and CAs, Steve Kent
Next by Thread:	Re: DN subordination, Raymond Lau
Indexes:	[Date] [Thread] [Top] [All Lists]