- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 06 Dec 2007 17:35:25 +0000
- To: public-wsc-wg@w3.org, stephen.farrell@cs.tcd.ie, pbaker@verisign.com
Thomas Roessler wrote: > Please find below the summary from the PKIX session at IETF70. I > found the part about DN collisions most interesting in light of our > discussion on Thursday (in particular since it refers to "real-world > situations"), and would be curious what precisely is behind this. > > Stephen, Phill, can one of you shed some light on this? There are apparently some ITU-T purists who think that because DN means "distinguished name" there should be a name registration authority that ensures that no CA names ever collide. (Presumably this is a hangover from the fact that X.509 originates from X.500.) PKIX isn't bothered by that and certainly doesn't want to make a list of CA names. AFAIK, there's never been an interesting accidental CA name collision. (A deliberate spoof would just be made a teeny-tiny bit easier by having such a list but is otherwise unaffected.) Summary: not worth bothering with. S.
Received on Thursday, 6 December 2007 17:35:28 UTC