Steve Dusse writes:
Allow me to force the issue... Should the name subordination
requirement in RFC1422 become a policy issue to be determined by each
PCA ?
Nice idea. But we need to work out some issues first.
Name subordination is a hack, but it addresses a real requirement.
While verifying certificates, one needs to know whether a particular
issuer is authorized to sign a certificate for a particular principal.
This is an authorization issue which could perhaps be nicely solved if
X.509 certificates could be extended to contain general authorization
information. But, noooo.
What we need is one additional bit of information in a certificate
that indicates whether or not the certificate owner is allowed to issue
other certificates. Call this the 'delegation' bit. A CA would set this
bit in a certificate it issues to someone, iff it is convinced that the
someone will issue certificates in accordance with the policy that it
itself follows. In effect, the CA is delegating certificate issuing
authority to this someone after having checked them out.
It would be nice if the limits of the delegation could be explicitly
specified. A separate authorization certificate may be warranted, but
represents a significant overhead.
Is there a place in a X.509 certificate to squeeze in this information ?
Assigning negative serial numbers (ick) for the certificates of
authorized CAs may be feasible, but is not extensible to hold any more
information. I'd hate to see a solution requiring CAs to have a
special name syntax. Need more ideas here...
-raj