[caops-wg] Re: ca signing policy file

David Chadwick d.w.chadwick at kent.ac.uk
Mon Oct 10 04:32:57 CDT 2005 


Mike Helm wrote:
>>>>>>>> Do I understand correctly that you are suggesting that a  
>>>>>>>>CA's   namespace file can include rules for all of its  
>>>>>>>>subordinates?  (These  seems to be what your example implies.)  
>>>>>>>>I actually think  I like this  idea, see next comment.
>>>>>>>

This is actually in fact what the original X.509 name constraints 
extension was designed to do, until RFC3280 perverted it.


>>>>>>>That's indeed what I meant. It would enable new subordinates to
>>>>>>>"glide in" without intervention from the admin, as long as they
>>>>>>>stay within the namespace assigned for subordinates.

Exactly. A superior CA should be able to constrain what a subordinate CA 
can do. Then if the subordinate CA does something different when issuing 
certs, then those certs wont be trusted.


> 
> 
> You all might want to look into a sort of movement that seems to exist in some
> PKIX members.  I've picked up some microsoft certs recently that seem to have
> AIA extensions that jump around missing links in the trust chain
> (between the end entity cert you have, and the trusted issuer pre-installed
> in your cert store). 

Its actually worse than that. Microsoft will actually trust and validate 
certificates that have names that do not conform to the name constraints 
extension, due to the fact that RFC 3280 says that all non specified 
name spaces are trusted (whereas X.509 stated that they were untrusted)


  Somewhere I have read a justification / method for
> this but have lost track.

I am still to find a justification for this :-)


regards

David

   But there is at least one example of another variant
> in a current draft in the IETF PKIX WG:
> 
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-03.txt
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list