Re: CA Names

This problem was also noted in the "Password" pilot project. The current rules
for the naming of CA make "path verification" easy to implement but conflict
with one of the objective of "distinguished naming" as one uses the same name
for the organization and the CA signing certificates for organization members.
Creating new attribute types is a very bad idea and has a damaging impact on
portability (the new type must be recognized by all Directory UAs). Why not
adopt a convention on the line of:

        <OU="Some name ending with the 3 letters space C and A, i.e. CA",
         then the name of the organization>

for the name of a CA allowed to sign tickets for:

        <CN, OU, etc,
         then the name of the organization>

That would be very easy to implement, allow multiple CAs corresponding to
different policies, etc.

Christian Huitema

<Prev in Thread]	Current Thread	[Next in Thread>
CA Names, warwick (w.s.) ford Re: CA Names, Christian Huitema <= Re: CA Names, Steve Kent Re: CA Names, Paul C. Clark Re: CA Names, Steve Kent Re: CA Names, Paul C. Clark Re: CA Names, Steve Kent Re: CA Names, Paul C. Clark Re: CA Names, Steve Kent Re: CA Names, Russ_Housley . McLean_CSD Re: CA Names, Steve Kent Re: Re: CA Names, jueneman%wotan

Previous by Date:	RE: Some very general questions, I(_dot_)SaywardK(_at_)Vitro Corp. Mail Server
Next by Date:	Re: Some very general questions, Keith R. Ker
Previous by Thread:	CA Names, warwick (w.s.) ford
Next by Thread:	Re: CA Names, Steve Kent
Indexes:	[Date] [Thread] [Top] [All Lists]