Bodo Moeller wrote:
> In principle, X.509v3 name constraints could
> be used to let a client act as a CA for itself, but I've never heard
> of anyone implementing temporary keys that way.
>
That's exactly what we do in Globus! See http://www.globus.org
They are called proxy certificates. The subject name of the proxy
certificate
is the same as the issuer's, with an extra CN=proxy. a Proxy can sign
another proxy. This allows delegation in a GSSAPI sense.
______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
