Name Constraints, was Re: [caops-wg] Re: ca signing policy file

Mike Helm helm at fionn.es.net
Wed Oct 12 11:22:31 CDT 2005 

Von Welch writes:
> I meant to say that unless NameConstraints are adopted by CAs in  
> general (which probably means both "Grid CAs" as well as all the  
> various software packages our communities use to generate  
> certificates), we still need something like current ca signing  
> policies (i.e. relying party-specified name constraints).

I don't think name constraints, in general, no matter who does them,
are worth the slitest amount of our attention.  They don't solve
any problem that anyone actually has. (I think this is one reason
rfc 2459 name constraints took so long to get any  support.)

This is particularly true in grid environments where the authentication
and authorization has been separated.  

What we do need, just like in any other pki, is some way of stating
whether or not a CA is trusted, and for what purposes (cert types).
If "purposes" includes naming, fine, but I don't think that
should be its primary or only method.    One purpose might
be "any" or "none": A scheme like that would
be very useful to the middleware: you can distribute a large
number of CA signing certs and make it easy for the 
relying party to configure the CA trust list.  (Most of our 
current CAs are grid-only.)

The current signing policy file is useful, in that it puts a brake
on what is going to be trusted, but the only decision it allows
is based on naming, which I contend is useless, and forces people
to deal with an inherently clumsy syntax that has been dis-optimized.

A side effect is that it places a huge emphasis on naming in Grids,
which is a waste of everyone's time.  We should be free to use 
whatever naming is appropriate and not jam ourselves into narrow
naming rules so that we don't disturb the delicate naming policy
rule distributed everywhere.  Since names in grids have no inherent
meaning and we have authorization schemes to enroll and control
privileges on successful authentication, the name constraint in Grids
doesn't add anything.  I also think this is functioning as a 
market inhibitor, in that CAs that don't fit this pattern such
as commercial CAs or other schemes are kept out of the business.

More information about the caops-wg mailing list