|
I provided rather detailed evidence
that RFC 5280 does require global name uniqueness. Can you explain
why my evidence is wrong? How does the text in Section 6.3 of RFC
5280 ensure that a CRL issued by one CA isn't used to determine
the status of certificates issued by an unrelated CA issuing
certificates under the same name if both can be validated from the
same trust anchor?
I have been explaining what RFC 5280 says (and what X.509 says). I have not been trying to justify that it was a correct design decision, so there's no need for me to answer the question about how one would ensure names are unambiguous. You are free to agree with Steve that RFC 5280 shouldn't have required names to be globally unambiguous, but that doesn't change the fact that (as I have shown) RFC 5280 and other PKIX documents were written in a way that things don't work unless names are globally unambiguous. If RFC 5280 didn't require names to be unambiguous, why didn't the text in Section 6.3.3 address the problem I mentioned above by requiring that the certification path for a CRL be the same as for the certificate whose status is being checked (or at least require that the list of CA names in the paths be the same)? Again, you can agree with Steve that something like that should have been done, but where's the evidence that it was done? Dave P.S. It would really be helpful if this discussion thread could end. It's not relevant to TRANS, and there would be no reason to discuss it at all in this group if there wasn't an attempt to include text about it in one of the TRANS documents. On 03/30/2016 01:15 PM, Ben Laurie wrote:
|
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
