[caops-wg] Name Constraints - attempt at framing issues
Alan.Sill at ttu.edu
Fri Oct 14 11:39:51 CDT 2005
On Oct 14, 2005, at 11:21 AM, Von Welch wrote:
> The reason why we are discussing Name Constraints is that they are a
> way to express the limitations of that trust.
I agree with this point of view. It is not actually far from that
expressed by David Chadwick (although I have some reservations about
some of the points about time of day restrictions, etc.), and is close
to the "real world" issue: if you have verified your identity enough to
be allowed access to a building, for example, you may not be allowed
into the more restricted areas of that building without stronger proof:
a physical key, or passcode, etc. At any given level of entry, the
security measure you use may not apply to earlier levels of entry, even
though it is "stronger" than what got you in initially.
I still think we need a proposal for an authentication profile that is
built ahead of time to fit the idea that further trust might be
established through the authorization framework, i.e. by name
constraints, etc., as a further measure beyond initial authentication.
This would be a different profile than the ones that we have on the
books to date, although some ideas from using it might trickle back to
the original ones.
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
More information about the caops-wg