At 1:38 PM -0400 8/12/07, Carl Wallace wrote:
I'd prefer to see support for rules based on TAA capabilities vs. admin precedence. For example, in PKIX, things like name constraints or usage constraints could be used. Rules based on values like these may be more applicable to enterprise scenarios with a precedence system being easier for individual users. It'd be easy to define precedence using an extension-like mechanism similar to name constraints and usage constraints.
It sounds like your TAA capabilities would map fairly directly to a precedence. That seems fine too.
--Paul Hoffman, Director --VPN Consortium
