| | | | | | | | |
|
|
|
You're here: Home |
At 01:42 PM 27/04/2007, Rob Austein wrote:
At Fri, 27 Apr 2007 08:14:23 +1000, Geoff Huston wrote: > > In thinking about this some more, the question is "is there any > _forced_ reason why the SIA needs to be unique across all CAs?" I > cannot think of such a reason - maybe RobK and/or RobA can, however. Assuming (per Russ) that we're talking about absolute (not relative) URIs (ie, "rsync://host/wombat" rather than "/wombat"), the reason is simple.
So I understand what you've said the reason is is because you have code that makes this assumption. That's an implementation decision, but not necessarily an outcome of some constraining factor in the underlying environment. I can conceive of algorithms that don't necessarily rely on such an assumption that still produce the same outcomes.
What I was wondering in my original note was if there was some basic property of the certificate structure that forced this constraint about a 1:1 relationship between SIA and CA + key. The tradeoff here is, as I see it, the tradeoff between aggregating the objects into a simpler (aggregated) structure that may reduce retrieval overheads, and the incremental cost to the validation algorithm is having to use some additional metadata management to mark off validated objects from the retrieved object set.
