[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] XRD trusted discovery workflow
Sorry for a late reply. By "unique", I meant not-to-be-reused. This is more akin to the ownership of it. AWWW has little to say about the ownership of the URI. Yes, as to having multiple CID in a cert, that is a possibility, as long as all those CIDs belongs to that entity. =nat John Bradley wrote: > Nat, > > SubjectAltName can have multiple elements so I suppose a single cert > could service multiple CID, as it can for email addresses. > > I am not certain what you mean by unique name. From a AWWW > perspective every URI represents a unique resource so that probably is > not what you are getting at. > > The qualities of the email or URI in the SubjectAltName would be > determined by the CA's policy. > > We may need some new use policy in the CERT to prevent confusion with > email or other certs issued for different reasons > under different vetting policies. > > =jbradley > On 15-Dec-08, at 4:18 AM, Nat Sakimura wrote: > >> Ah! >> >> My comments inline. >> >> Peter Davis wrote: >>> On Dec 11, 2008, at 6:13 PM, Sakimura Nat wrote: >>> >>> >>>> That is, if it were http://example.com/alice and http://example.com/bob >>>> , then it should be example.com that signs this. >>>> >>> >>> I am not sure that I agree completely on this for all cases. take, >>> for example: >>> >>> https://example.com/foo/alice >>> >>> It is entirely plausible that the naming authority is /foo (not >>> example.com). Similarly, for: >>> >>> https://foo.example.com/foo/alice >>> >>> the naming authority _could_ be any of: >>> >>> foo.example.com/foo >>> foo.example.com >>> example.com >>> >>> all of which should be considered valid >>> >> Indeed. The above sentence was the summarization of Brian's approach. >> Like John has explained, my approach differs that I believe each >> identity should have a cert. >> >> In that path, the current discussion is whether to revive >> SubjectUniqueId or use SubjectAltName. >> As long as there is a way to know that SubjectAltName indeed is a >> unique name, I am fine with it. >> >>> =peterd >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]