Re: New Version of TechMail-PEM available

Jeff,

I haven't had the opportunity to review your product yet, but I 
am curious about a couple of things in conjunction with the naming
section that I will be working on for the ABA's CA guidlines 
document:

1. Do you provide, or intend to provide, any mechanisms
to allow the user to control which PCAs, CAs, and/or
individual users are accepted without warning, accepted with
warning or manual intervention, or rejected?

2. If you do not provide any wild-card control mechanisms
of this type, do you provide or intend to provide any direct 
indication to the user as to which PCA a given certificate has 
as its root?

3. How do you handle the case where one CA is certified
by multiple CAs, if you do? If and when such certificates 
are entered into an X.500 database, would you expect to
enter two certificates with an identical DN under a common
entry? 

4. To what extent do you enforce name subordination?

The reason for these questions is that I am beginning to wonder
whether a CA should specify the name of the PCA hierarchy
as an OU under their organizational name, both to eliminate
the apparent ambiguity as to which certificate is to be used, and
to clarify to the user which trust hierarchy is in effect for a given
signature chain.

I'm merely thinking out loud at this point, but I'm wondering whether
we should create a DN for our CA that would look like:

C=US, O=GTE Laboratories, OU=RSA Commercial Hierarchy CA.

Another CA, that might be used for noncommercial, casual e-mail
purposes, might be

C=US, O=GTE laboratories, OU=RSA Low Assurance CA.

Strict name subordination would then require that individual users
include the OU=RSA Commercial Hierarchy, etc., in their own DN, which
might have both its good and bad points. Conceivably we could consider 
enforcing name subordination only to the Organization level, although 
that might impose some limitations on the structure of CAs.

Again, I'm merely thinking out loud, not making a concrete proposal,
but I would be interested in your thoughts. (And other implementors
and kibitzers as well, of course.)

Bob

<Prev in Thread]	Current Thread	[Next in Thread>
New Version of TechMail-PEM available, Jeffrey I. Schiller Re: New Version of TechMail-PEM available, jueneman%wotan <= Re: New Version of TechMail-PEM available, Jeffrey I. Schiller Re: New Version of TechMail-PEM available, Anish Bhimani Re: New Version of TechMail-PEM available, Ali Bahreman Re: New Version of TechMail-PEM available, Steve Kent Re: New Version of TechMail-PEM available, Jeffrey I. Schiller Re: New Version of TechMail-PEM available, wesommer Re: New Version of TechMail-PEM available, Steve Kent Re: New Version of TechMail-PEM available, Bill Sommerfeld Re: New Version of TechMail-PEM available, Steve Kent

Previous by Date:	Re: identifying attribute types, Peter Williams
Next by Date:	Re: New Version of TechMail-PEM available, Jeffrey I. Schiller
Previous by Thread:	New Version of TechMail-PEM available, Jeffrey I. Schiller
Next by Thread:	Re: New Version of TechMail-PEM available, Jeffrey I. Schiller
Indexes:	[Date] [Thread] [Top] [All Lists]