[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] XRD trusted discovery workflow
--Apple-Mail-194--212679489 Content-Type: multipart/alternative; boundary=Apple-Mail-193--212679759 --Apple-Mail-193--212679759 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Nat, SubjectAltName can have multiple elements so I suppose a single cert could service multiple CID, as it can for email addresses. I am not certain what you mean by unique name. From a AWWW perspective every URI represents a unique resource so that probably is not what you are getting at. The qualities of the email or URI in the SubjectAltName would be determined by the CA's policy. We may need some new use policy in the CERT to prevent confusion with email or other certs issued for different reasons under different vetting policies. =jbradley On 15-Dec-08, at 4:18 AM, Nat Sakimura wrote: > Ah! > > My comments inline. > > Peter Davis wrote: >> On Dec 11, 2008, at 6:13 PM, Sakimura Nat wrote: >> >> >>> That is, if it were http://example.com/alice and http://example.com/bob >>> , then it should be example.com that signs this. >>> >> >> I am not sure that I agree completely on this for all cases. take, >> for example: >> >> https://example.com/foo/alice >> >> It is entirely plausible that the naming authority is /foo (not >> example.com). Similarly, for: >> >> https://foo.example.com/foo/alice >> >> the naming authority _could_ be any of: >> >> foo.example.com/foo >> foo.example.com >> example.com >> >> all of which should be considered valid >> > Indeed. The above sentence was the summarization of Brian's approach. > Like John has explained, my approach differs that I believe each > identity should have a cert. > > In that path, the current discussion is whether to revive > SubjectUniqueId or use SubjectAltName. > As long as there is a way to know that SubjectAltName indeed is a > unique name, I am fine with it. > >> =peterd >> >> > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --Apple-Mail-193--212679759 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; = -webkit-line-break: after-white-space; = ">Nat,<div><br></div><div>SubjectAltName can have multiple = elements so I suppose a single cert could service multiple CID, as it = can for email addresses.</div><div><br></div><div>I am not certain what = you mean by unique name. =46rom a AWWW perspective every URI = represents a unique resource so that probably is not what you are = getting at.</div><div><br></div><div>The qualities of the email or URI = in the SubjectAltName would be determined by the CA's = policy.</div><div><br></div><div>We may need some new use policy in the = CERT to prevent confusion with email or other certs issued = for different reasons under different vetting = policies.</div><div><br></div><div>=3Djbradley<br><div><div>On = 15-Dec-08, at 4:18 AM, Nat Sakimura wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><div>Ah!<br><br>My comments inline.<br><br>Peter Davis = wrote:<br><blockquote type=3D"cite">On Dec 11, 2008, at 6:13 PM, = Sakimura Nat wrote:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = <br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">That is, if it were <a = href=3D"http://example.com/alice">http://example.com/alice</a> and <a = href=3D"http://example.com/bob">http://example.com/bob</a><br></blockquote= ></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"> , = then it should be example.com that signs = this.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"> = <br></blockquote></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">I am not sure = that I agree completely on this for all cases. = take,<br></blockquote><blockquote type=3D"cite">for = example:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = <a = href=3D"https://example.com/foo/alice">https://example.com/foo/alice</a><b= r></blockquote><blockquote type=3D"cite"><br></blockquote><blockquote = type=3D"cite">It is entirely plausible that the naming authority is /foo = (not<br></blockquote><blockquote type=3D"cite">example.com). = Similarly, for:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = <a = href=3D"https://foo.example.com/foo/alice">https://foo.example.com/foo/ali= ce</a><br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">the naming = authority _could_ be any of:<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = foo.example.com/foo<br></blockqu= ote><blockquote type=3D"cite"> = foo.example.com<br></blockquote>= <blockquote type=3D"cite"> = example.com<br></blockquote><blo= ckquote type=3D"cite"><br></blockquote><blockquote type=3D"cite">all of = which should be considered valid<br></blockquote><blockquote = type=3D"cite"> <br></blockquote>Indeed. The above sentence was the = summarization of Brian's approach.<br>Like John has explained, my = approach differs that I believe each identity should have a = cert.<br><br>In that path, the current discussion is whether to revive = SubjectUniqueId or use SubjectAltName.<br>As long as there is a way to = know that SubjectAltName indeed is a unique name, I am fine with = it.<br><br><blockquote type=3D"cite">=3Dpeterd<br></blockquote><blockquote= type=3D"cite"><br></blockquote><blockquote type=3D"cite"> = <br></blockquote><br>-----------------------------------------------= ----------------------<br>To unsubscribe from this mail list, you must = leave the OASIS TC that<br>generates this mail. Follow this link = to all your TCs in OASIS at:<br><a = href=3D"https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups= .php">https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.p= hp</a> <br></div></blockquote></div><br></div></body></html>= --Apple-Mail-193--212679759-- --Apple-Mail-194--212679489 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGrzCCAz8w ggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcx KDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxA dGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpB MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUg UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA xKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/ p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDow OKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgw DQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A 9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYI Tq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8wggNoMIIC0aADAgECAhAd94+bIYviuSaQ w/qU/yWPMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQTAeFw0wODEyMTIwMTU0MzFaFw0wOTEyMTIwMTU0MzFaMIGfMR8wHQYDVQQDExZUaGF3 dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMR4wHAYJ KoZIhvcNAQkBFg9qYnJhZGxleUBtZS5jb20xHTAbBgkqhkiG9w0BCQEWDnZlN2p0YkBtYWMuY29t MRwwGgYJKoZIhvcNAQkBFg12ZTdqdGJAbWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxB2GGbZ5p8mVtg16CSDXeF8F3D+5sbs8L4b/YrHt/BvtQdE8GY202cUko/b/rXTUA0JC XZRDrOiH7ZxcqI4alJNel9AcSLepcdHN4+t2zhvWilm+YF0/r6m/1PikkVT9TWic61IZMpNWIUkk A+MWzEjChYPefdSMhxikhhMFZ0sv2qPE9pmdaPtD2uF4MwKnIzdZYo+X7rWoaXHIdsZwZDU3HdR5 rVuK5s9xvRED7TZgwE1/yHzHnTbedUWPdNNUlL24Jp3iiVzjZan8zOCn6x4b8O1QPN5b/FOZrerq FDZ2zhIBsWEcKdIxqIqPdVkrYvEfGBLMe1QIORu0J56L/QIDAQABo10wWzBLBgNVHREERDBCgRBq YnJhZGxleUBtYWMuY29tgQ9qYnJhZGxleUBtZS5jb22BDnZlN2p0YkBtYWMuY29tgQ12ZTdqdGJA bWUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEADhjvX5w/BXN7OL5y1ZfydfmJ RKezNqugUDf8XbKmmMR/o+vjx395pBpO9QF8hQwtKNDuvoxLTNDMWdcCNbvaEpqREXc7liV9FfA5 ndAB1VgDqYDjY9M9LU54LH8uqEx7+pX6qa6KoR8eRHby9zi+iuSkJ4GLI59RBnVI54x4/acxggMQ MIIDDAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5 KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQHfeP myGL4rkmkMP6lP8ljzAJBgUrDgMCGgUAoIIBbzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0wODEyMTUxNDA4MjdaMCMGCSqGSIb3DQEJBDEWBBQCcUm3i4fmB/HI13Zy m/eR/WM/QTCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls IElzc3VpbmcgQ0ECEB33j5shi+K5JpDD+pT/JY8wgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMj VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEB33j5shi+K5JpDD+pT/JY8wDQYJ KoZIhvcNAQEBBQAEggEAUe+0Z8M7wQvg94Xl+9z3wM8/lvUWRpPq8IWd8Eb9SIdtdDc/yqduzHNJ 16qF1lW8W0bu8fMfsXjuhM1Hu4qEPj+D9mNDNAls8U8l7vbsljIMxFiGhoIxszoU/M2I+OU3XHzx LPKLv6KLKDVs+CqfA1AerRW/3tuON15HcbVUYpeB7nUPH6imXejF5Swh++40NyNOnisbgvukkZRV GMtNCBkWMHMrC+AiHdMt34XfEW2bWhZl+3/wkNk4bb+VQCx+yFrdTYkMNQW7Uhs3xzXQbJ4nCqVI fnh47Q3Q0i5OkURW7TovalIHsI37XvLQ3NvUoJ4CJa+Gr8eykyd7+7USoQAAAAAAAA== --Apple-Mail-194--212679489--
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]