Paul Hoffman wrote: > At 6:06 PM +0100 5/24/07, Gervase Markham wrote: >> Paul Hoffman wrote: >> > That makes the assumption that all domains from those countries are in >>> the countries' TLDs; that is a bad assumption. >> >> You mean that these CAs will not be able to sign certificates for some >> sites that they might want to (e.g. www.myfrenchsite.com)? Yes, but >> that's just tough on them. > > My feeling is that we would be better off not making this leap of > limitation. Either someone is allowed to certify in all domain names, or > in none.
Paul, that argument sounds to me like you're saying that constraining the name space for which a CA may issue certs is somehow not part of the PKI model. You seem to be suggesting that no CA should be constrained in the name space for which it can issue certs. Yet name space constraints are a fundamental part of X.509 v3 certs, and well defined in RFC 3280, (and implemented in NSS). Any CA may choose to constrain the space(s) for the names that subordinate CAs may issue as cert subjects. I see no reason (certainly no technical reason) not to allow the user to constrain the space for which he trusts a CA to issue subject names. Remember that, unlike the DoD's single root model, in which the root CA cert is the trust anchor and has final say in all matters, in our open Internet trust model, there are multiple roots, and the user himself ultimately decides what he does and does not trust. In effect, all the root CA certs are subordinate to the user himself. Why, then, should the user not be able to constrain those subordinate CAs, just as any CA can constrain its subordinates? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
