- From: Ian Fette <ifette@google.com>
- Date: Sun, 23 Dec 2007 04:15:45 -0800
- To: "Dan Schutzer" <dan.schutzer@fstc.org>
- Cc: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "W3 Work Group" <public-wsc-wg@w3.org>
- Message-ID: <bbeaa26f0712230415l47422b9pe3136653eb258b55@mail.gmail.com>
For the case where the certs are valid at the same time, I don't see why that would be preferable to just having one cert, with the additional domains in SubjAltName. Unless you don't want to share a private key across the various sites, but then the question arises of if you're not willing to share your private key, should I be willing to share my data? It seems to me like we are getting way beyond the scope of this group, and personally I don't see the value of what we're discussing in a broader sense. What matters in the current world of SSL is that the given cert is valid for the given site. We're talking about all sorts of extensions just to support an edge case in a new form-filler that may or may not ever see broad adoption. If, under the best of cases, it does see adoption but the cert continuity part is left out, what's the worst that can happen? The user has to re-type their username and password? Given the strict matching of this mechanism, it seems to me like the user will be re-typing their information a lot anyways, and so what's one more re-type every two years? It seems like we're climbing down a giant rathole with no pot-of-gold in sight... -Ian P.s. happy holidays everyone. On Dec 23, 2007 3:09 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote: > > This looks like it might be a very useful proposal > > I am wondering if there might not also be a desire to be able to link > certificates as belonging to the same entity, where both certificates > might > actually still be in force. For example Bank A has three different > subsidiaries, with three different names. Each has their own certificate. > It > might be useful to be able to recognize that all three certificates are > linked by the fact that they are all part of the same company. > > Dan > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > On > Behalf Of Stephen Farrell > Sent: Saturday, December 22, 2007 9:04 AM > To: W3 Work Group > Subject: Linking certs > > > > Tyler was surprised on last week's call that there wasn't a > good way to link various certs belonging to the same end entity. > > I personally hadn't thought about that before and actually > didn't see an obvious way to achieve the result so I've written > up a proposal [1] for a new cert extension that may solve the > problem. > > I doubt that this'd be finished in time for us to make much use > of it in the our REC (though one never knows:-) but it might > be useful for a future version, and I'd definitely be interested > in whether or not it looks like something the browser vendors > and CA operators might want. > > And of course, any and all comments on the draft are welcome. > > Cheers, > Stephen. > > PS: The draft is an individual submission, not an official IETF > PKIX WG work item, though I've posted a note to that list too > as they might end up taking it on (or not). > > [1] http://tools.ietf.org/html/draft-farrell-pkix-other-certs-00 > > > > > >
Received on Sunday, 23 December 2007 12:16:02 UTC