[kmf-discuss] DN/subjectAltName mapping to username
Jan Pechanec
Jan.Pechanec at Sun.COM
Thu Dec 20 08:33:35 PST 2007
On Thu, 20 Dec 2007, Nicolas Williams wrote:
>> >> - ignore domain if applicable (eg. mail-to-user mapper)
>> >
>> >That could only be OK if the set of trust anchors is narrow enough.
>>
>> hmm, not sure what you mean by this. If I understand that correctly,
>> one KMF policy means one trusted anchor only. J.
>
>But that trust anchor could be a root CA for a very large namespace, or
>one for a very small namespace. In the former case using an e-mail addr
>SAN minus the @domain part regardless of what the domain was seems...
>like asking for trouble.
understood. Probably, one would have to have control over such CA if
this was to be used. Anyway, default to "NO" and it's up to an admin then.
--
Jan Pechanec
More information about the kmf-discuss
mailing list