[kmf-discuss] DN/subjectAltName mapping to username
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Dec 20 08:30:40 PST 2007
Jan Pechanec wrote:
> On Thu, 20 Dec 2007, Nicolas Williams wrote:
>
>
>>> - ignore domain if applicable (eg. mail-to-user mapper)
>>>
>> That could only be OK if the set of trust anchors is narrow enough.
>>
>
> hmm, not sure what you mean by this. If I understand that correctly,
> one KMF policy means one trusted anchor only. J.
>
>
Yes, currently KMF only validates to the issuer, it doesn't walk up the
chain.
However, we are likely going to address that issue in an upcoming fix.
-Wyllys
More information about the kmf-discuss
mailing list