[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] Philosophical questions
John Bradley wrote on 2009-04-02: > If a certificate doesn't chain to a valid root the Public Key is used to > generate the Client Pseudonym rather than the values from the DN. Yes, I can see that they've already been coupled, which I think was a mistake. I would have based on it the hostname and that's it, and left the rest to the management of token submission. > I have been asked by someone if case 3 should be used for expired and > revoked certificates. > I think the answer is no they still chain to a trusted root even though they > may not be trusted themselves. I think you're damned if you do, or if you don't, but if there's another "gatekeeper" to count on, I guess erring on the side of generating a consistent value is better. > If the user overrides a selector warning and indicates a policy override of > some sort for the site than the PPID should remain the same and the card > should continue to work at the site. That's the best outcome possible, I think. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]