Name Constraints, was Re: [caops-wg] Re: ca signing policy file

David Chadwick d.w.chadwick at kent.ac.uk
Fri Oct 14 09:53:27 CDT 2005 

Mike

I can put a different slant on this, which is, the strength of 
authentication (and other factors such as location, time of day etc.) 
should be a component of authorisation decision making. For example, I 
logged in at an Internet cafe at midnight using un/pw and I want to 
delete an employee from the employee database. Access denied. I logged 
in using my PKI certificate and smart card from a computer in the 
administration department at 10am and I want to delete an employee from 
the employee database. Access granted.

So it is not too unreasonable to include the name of the CA in the 
authorisation decision making, once we accept that they are trusted to 
different levels. This is not too difficult to enforce with a general 
purpose authorisation PDP (in fact we are currently working on a project 
with Uni of Manchester to implement strength of authentication in 
authorisation decision making)

regards

David


Mike Helm wrote:
> Frank Siebenlist writes:
> 
>>Are you suggesting that we should keep the CA always with the DN for all 
>>the authorization decisions?
>>(Essentially pushing the policy enforcement of name+CA to the 
>>authorization stage and throwing-in the towel as far as the pkix/x509 
>>global-naming dream is concerned...)
> 
> 
> Yes.  To all.
> 
> As DC mentioned there is available to us a global naming strategy.
> It is not perfect and it has some side effects, but it can at least
> reduce some of the human confusion.  
> 
> However, you still have to include the issuer in any decision, because
> you have to have some assurance that the binding was legitimate.
> We don't yet (won't ever?) have an a priori way of knowing that.
> 
> 
>>If not, or maybe not, or sometimes not, should we move to a model where 
>>the CAs remain in the authorization picture and asserted names should 
>>always be considered in the context of the issuer?
> 
> 
> I think this is the safer of the 2 choices you offered.
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list