Raj,
Name subordination addresses a number of security and
administrative concerns, as has been discussed in previous message
traffic. Merely adding a bit to a certificate would not provide
functionality equivalent to name subordination, you noted. One need
more information, essentially expressing the range of DNs that the CA
is authorized to certify. There is no place for such information in
an X.509 certificate, nor have I seen any syntax that would claim to
be able to express the variety of constraints that arise in prcatice.
Remember that there are no name subordination requirements for
the IPRA or for PCAs and that would have to be expressed in their
certificates, as well as the more stringent name subordination rules
we already have at the CA level and which are generally thought to be
necessary. If one were to make name subordination a per-PCA feature,
then PEm UA software would have to understand that different
certification paths would reuqire different certificate validation
processing rules. Would there be any constraints on what alternative
rules different PCAs might prescribe? If not, we cannot have PEM UA
software capable of processing paths for all PCAs. If so, one would
have to establish what those rules are, with an understanding of what
the implications are for PEM UA software, both from the perspective of
certificate validation and cache management, and from a certificate
display perspecitve.
Before we get too excited about alternatives to name
subordination it would be good to have concrete, comprehensive
proposals put forth that address all of these concerns.
Steve