Re: [imi] Philosophical questions

[John Bradley <jbradley@mac.com>]

Thats why I prefaced this as philosophical.

I don't know that there is a perfect solution.

I see the current rules as having some advantages in a lot of cases.

If I have class 2 or EV certs they generate the same PPID independent  
of the CN across multiple sites without requiring a RP/STS

However if someone changes there city or state and renews there cert  
the next year, potentially none of there users can log in once they  
put up the new cert.   Same CN valid cert but different PPID.

I think there is an educational role the ICF needs to play so that  
people don't fall into the potential holes.

I mostly want to make certain that my guidance to people outside the  
TC is rational if not perfect.

John B.
On 2-Apr-09, at 1:19 PM, Scott Cantor wrote:

> John Bradley wrote on 2009-04-02:
>> If a certificate doesn't chain to a valid root the Public Key is  
>> used to
>> generate the Client Pseudonym rather than the values from the DN.
>
> Yes, I can see that they've already been coupled, which I think was a
> mistake. I would have based on it the hostname and that's it, and  
> left the
> rest to the management of token submission.
>
>> I have been asked by someone if case 3 should be used for expired and
>> revoked certificates.
>> I think the answer is no they still chain to a trusted root even  
>> though
> they
>> may not be trusted themselves.
>
> I think you're damned if you do, or if you don't, but if there's  
> another
> "gatekeeper" to count on, I guess erring on the side of generating a
> consistent value is better.
>
>> If the user overrides a selector warning and indicates a policy  
>> override
> of
>> some sort for the site than the PPID should remain the same and the  
>> card
>> should continue to work at the site.
>
> That's the best outcome possible, I think.
>
> -- Scott
>
>

smime.p7s