[caops-wg] Name Constraints - attempt at framing issues
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Oct 14 09:15:45 CDT 2005
Cowles, Robert D. wrote:
>
>
>
>>1) What CAs do we wish to consider as potential issuers for our
>>community? Is it just "Grid CAs" (by that I mean CA we can
>>reasonably
>>except to adhere to best practices as specified by GGF WGs) or do we
>>want to also consider CAs that we have no reasonable expectation of
>>being able to impact their policies or procedures (e.g. commercial
>>CAs) as potential issuers for our community as well?
>
>
> I think that if we are successful, all this will be used in ways
> we can't now imagine or, in the future, control. To me, the idea of
> depending on CA's to issue certificates for DNs that are globally
> unique is just asking for trouble.
Trusted third parties that cannot be trusted!! Why are we bothering with
them? Building a whole trust infrastructure on untrusted TTPs is a
pointless exercise in futility.
regards
David
Administrative controls to
> keep the namespaces separate are clearly not good enough. The signing
> policy file is a technical control but it still seems pretty weak.
> To me, the thing that is unique is (DN + CA) and the function of the
> CA is to try it's best to not issue a cert with the same DN to
> different people. I would be happy if they can do just that and I
> think it unreasonable to believe that the DN is unique in the
> universe (or even a small section thereof). The signing policy
> files basically allow us to say - given this DN, it should have been
> issued by that CA - and as far as I can see, it's because the CA
> is't stored in the gridmapfile (and maybe it's not there because
> the DN was suppoed to be unique - but that was8-10 years ago, and
> we know better now).
>
>
>>2) Do we believe that during normal operation the CAs indicated in
>>the response to the first question have policy that will result in
>>their issuing globally unique names and will reliably follow that
>>policy?
>
>
> I think it's not true in "normal operation" and that any moderately
> talented attacker would be able to generate a condition outside
> of "normal operations" and get *someone* to issue a certificate
> with any DN they chose.
>
>
>>3) If a CA is compromised, given currently implementations,
>>this will
>
>
> (my comments here were in an earlier email).
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list