Re: DN subordination

Unless you are prepared to display complete certification paths 
for users, the name subordination requirement is necessary to 
prevent the last certificate in a chain from spoofing a user.  The 
reason that 1422 does not completely preclude non-subordinate 
certification by CAs is to allow the same infrastructure to be 
used for more than PEM.  Thus the name subordination requirement 
is enforced by UAs.


Actually, I do always display complete chains.  However, the issue of
how to get residential CAs to work in a DN subordination environment
still remains.

I've taken a compromise stand of not requiring subordination between
top layer CAs (directly beneath PCAs) and the next layer and will
adopt this scheme unless the residential CA issue can be resolved.

 -Ray

<Prev in Thread]	Current Thread	[Next in Thread>
DN subordination, Steve Kent Re: DN subordination, Raymond Lau <= Re: DN subordination, Steve Kent DN subordination, Steve Dusse DN subordination, Steve Dusse Re: DN subordination, Raymond Lau Re: DN subordination, Steve Kent

Previous by Date:	Re: PCA Policies, Steve Kent
Next by Date:	Re: DN subordination, Steve Kent
Previous by Thread:	DN subordination, Steve Kent
Next by Thread:	Re: DN subordination, Steve Kent
Indexes:	[Date] [Thread] [Top] [All Lists]