> This assumes, of course, that issuer names are unique. This is > obviously a desireable property of such names, and I've always assumed > that it's the case, but I don't know if there's any mechanism that > guarantees it. Is there a global registry of CAs or something similar?
The uniqueness property derives from the assumption that the two naming schemes that tend to be used (X.500 DN and DC naming) presume that those underlying mechanisms (X.500 and DNS) enforce uniqueness. In practice, the uniqueness can be assumed within an org, but rarely beyond that. As always with PKI, the relying party is on his own, and in a world of pain. -- Scott
