Name Constraints, was Re: [caops-wg] Re: ca signing policy file

David Chadwick d.w.chadwick at kent.ac.uk
Sun Oct 9 12:23:17 CDT 2005 


David Groep wrote:

> 
> I actually agree (it's just the habit that crept in here). I also
> think that the "namespace constraints policy collection (file)" should
> just be "namespace constraints file" or something similar.
> 
>> I think one question the document should address is why not use RFC  
>> 3280 Name Constraints? 

No, this would be unfortunate. The RFC 3280 Name Constraints semantics 
have perverted the original X.509 semantics so that a superior CA can no 
longer use name constraints to constrain all name spaces issued by the 
subordinate CA. We currently have a defect report on this issue being 
actively discussed in the ITU-T X.509 standards group.

To explain more fully, the X.509 name constraints had the original 
intention of limiting which certificates issued by a subordinate CA 
could be trusted. Those that fell outside the constrained name space 
were not to be trusted. RFC3280 perverted this, by adding a sentence 
that stated, if the subordinate CA issued a cert with a name form that 
was not in the name constraints extension, then this cert should be 
trusted. This now blows a hole in the trust assumptions of the superior 
CA, since a subordinate CA can now legally circumvent the name 
constraints by issuing certificates using a different name form. The 
current debate in the X.509 group is whether to revert to the original 
semantics or keep the perverted 3280 ones.


I think this mainly boils down to the fact
>> that while they look suitable, they are intended for bridging  
>> situations and we'll never get commercial CAs to adopt them,

actually I am being told by the RFC3280 lobby that commercial CAs do 
support name constraints, and because of this we cannot revert their 
semantics back from the RFC3280 meaning to that of the X.509 original 
meaning, because it would break their implementations.

Now if you are telling me that most commercial CAs do not support name 
constraints, that would be a powerful argument to support reverting name 
constraints back to their original semantics.

Can anyone give me evidence of support or non-support of commercial CAs 
for the name constraints extension?


  hence
>> always limiting ourselves to "Grid CAs". If everyone agrees with that  
>> statement, I'll plan on contributing some prose.
> 
> 
> I've a few other reasons to add to this as well:
> For nameConstraints in the certificate itself is that it's the "wrong"
> authority makiong the assertion. For these namespace policies, it's not the
> CA itself but rather the distributor or federation that makes the claim.

It is actually meant to be the superior authority that places the 
constraints on the subordinate CAs. CAs themselves can issue certs with 
whatever subject names they want to. They can also constrain themselves 
or not. So if a CA were to constrain itself, it would be through its CPS 
or CP. The name constraints extension is to constrain subordinate CAs.

> 
> The example again is SwissSign. In the federation, their
> (top-level) CA is limited to signing only the "Bronze" CA. This
> constraint is coded in the namespace constraints file. But of course,
> they'll never but in a nameConstraints assertion in their top-level
> limiting it to Bronze only :-)


What does bronze CA mean in the context of name constraints. Bronze, 
silver, gold etc do not sound like a naming constraint to me, but rather 
a CPS or policy issue


> 
> Also, only a subset of the certificates issued by a CA may be
> part of the federation, and limiting the namespace is a relatively
> straightforward way of doing that (instead of having to introduce
> a subordinate CA for that).
> 
> In all cases, the namespace constraints should be outside of the
> certificate chain of the constraint CA.
> 


I think currently it has to be outside the standard certificate path 
validation algorithm, due to the bug introduced by 3280, which will let 
certificates not in the constrained domain slip through the net as being 
valid, as explained above.


regards

David


*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list