[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-spki-cert-theory-00.txt

Ed Gerck wrote:
> As to the CAs doing name assignment, this is actually mandated by X.509.
> The problem of connecting different CA's is solved in X.509 by forming a
> PKI of CAs -- which is possible in principle because all CAs follow the
> *same* naming convention. 

This does not necessarily apply to anyone using PKIX (recognizing that
you *did* mention X.509 and not PKIX), and I am posting this as many
blindly equate PKIX with X.509 (yes, I recognize the similarities). PKIX
mandates the use of subject a "DN", but has absolutely no enforcement on
the contents of that DN, and nothing in PKIX prevents DNs containing any
information or any naming convention you want, X.500 or not.

P.S. Ed, I realize you recognize this - this is for the "ya, ya,
everything in X.509 is bad" crowd.

> Dr.rer.nat. E. Gerck                        egerck@laser.cps.softex.br
> http://novaware.cps.softex.br

Patrick C. Richard - patr@xcert.com
Public Key Available via LDAP

"All informational objects are candidates for PKI-based ACLs."
       - yhe