Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Frank Siebenlist
franks at mcs.anl.gov
Wed Oct 12 14:09:00 CDT 2005
Sorry, but I have to disagree strongly.
Having no name constraints and letting any CA issue any name it wants,
puts all your trusted CAs on equal footing concerning the names they
issue: any CA can overstep its policy boundaries concerning the issued
names and you have no way to find out.
Some form of enforced name constraining policy or localizing the
name-issuing to a CA is the only safeguard you have against any rogue CA
among the zillions that may be present in your trusted CA-directory.
Wasn't that the main reason that we have our current ca signing policy
files in the first place?
Did I miss anything?
-Frank.
Mike Helm wrote:
> "Cowles, Robert D." writes:
>
>> that the middleware includes a check of the CA when it compares
>> on DN, then what you say is correct.
>>
>
> This is one of the essential problems with this service that
> has never been addressed as far as I know. name constraints
> "be" an incomplete barrier.
>
> BTW, we have found this omission _useful_ in our past.
>
> We switched from a test, development lab CA (DOE Science Grid) to a production
> quality CA (doegrids), and we used this property to ease subscribers'
> transition to the new CA. Lesson? Overlapping name spaces
> might be useful!
>
>
--
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
More information about the caops-wg
mailing list