Ray,
I had the certifivcates you sent decoded and you are right,
the TIS residential PCA also is non-compliant.
I have communicated with the folks at RSADSI and they provided
some additional background on why their residential PCA is set up the
way we see it now. Remember, RSA has been working with the folks at
Apple to provide a signature capability in AOCE (available, I think in
System 7 Pro) and that project has been ongoing for some time. When
they began the work the Internet certification system had a root which
was equivalent to the RSADSI high assurance PCA today. They designed
their Apple software around that model, which was later superceded by
the single root, multi-PCA model we have today. So, they are
currently stuck with a single root key for the Apple environment which
they have tried to make congruent with the current Internet model. I
have been talking with them, exploring options that would be
transparent to the Apple users, and hopefully easy to implement (but
then, I'm not writing their software so what do I know), and which
would allow them to offer a residential PCA that is compliant with the
Internet model. We'll see what they can do after investigating this
more.
I have been in touch with Sead Muftic at COST and he tells me
that their new software will comply with the model, so I expect that
if they offer a residential PCA it will support name subordination at
the CA level. I have not contacted TIS, but I don't see why they
would have a problem bringing their residential PCA inline with the
standard (since they don't have the backward compatability probelm
that RSADSI is struggling with). For now, one could special case the
RSA residential PCA (i.e., require CA level name subordination EXCEPT
for the the RSADSI residential PCA), although I personally hate to
suggest that sort of kludge. However, not enforcing subordination in
general leaves users open to spoofing attacks if one displays only the
PCA and user DNs (or local aliases thereof). This is one of several
motivations for the subordination rule, i.e., protection against rogue
CAs and persona CAs without requiring a user to carefully peruse all
of the names in a certification path. I'd hate to see us abandon this
important feature which contributes so much to the user friendliness
(and the low GOTCHA! factor) of PEM. I'm still hopeful that RSADSI
will find a way to accommodate both the PEM environment as well as
their commitment to Apple. (After all, I'm a Mac user!)
Steve