Name Constraints, was Re: [caops-wg] Re: ca signing policy file

David Chadwick d.w.chadwick at kent.ac.uk
Fri Oct 14 11:50:26 CDT 2005 


Cowles, Robert D. wrote:
>  
> The gridmapfile gives no clue as to CA or to VO.

Also to the time of day, or user location, or request parameters, or 
hundreds of other things that might place conditions on what the user is 
allowed to do. So gridmap files were a nice first shortcut to get 
something working fast (a bit like the GridShib mapping file today)but 
they cannot realistically be expected to provide a long term solution

regards

David

> 
> Why do PKI *users* care about 2)? Unless you consider
> the CA's to be "PKI users*.
> 
> BC
> 
> 
>>Bob
>>
>>I think 2) is the main reason used by PKI users in general.
>>What are the design flaws in 1)?
>>
>>thanks
>>
>>David
>>
>>
>>Cowles, Robert D. wrote:
>>
>>>My impression of why we had the constraints were:
>>>
>>>(1) gridmapfile design flaw
>>>
>>>(2) the CA's wanted some limitations so as to help
>>>    divide up the people coming to them ... so that 
>>>    one CA didn't have to issue certs for the whole
>>>    world (since it's being done on pretty limited
>>>    budgets).
>>>
>>>BC 
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Frank Siebenlist [mailto:franks at mcs.anl.gov] 
>>>>Sent: Wednesday, October 12, 2005 12:09 PM
>>>>To: helm at fionn.es.net
>>>>Cc: Cowles, Robert D.; David Chadwick; Von Welch; Tony J. 
>>>>Genovese; CAOPS-WG; Olle Mulmo; Joni Hahkala; Jules Wolfrat; 
>>>>Ron Trompert
>>>>Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca 
>>>>signing policy file
>>>>
>>>>Sorry, but I have to disagree strongly.
>>>>
>>>>Having no name constraints and letting any CA issue any name 
>>>>it wants, 
>>>>puts all your trusted CAs on equal footing concerning the 
>>
>>names they 
>>
>>>>issue: any CA can overstep its policy boundaries concerning 
>>>>the issued 
>>>>names and you have no way to find out.
>>>>
>>>>Some form of enforced name constraining policy or localizing the 
>>>>name-issuing to a CA is the only safeguard you have against 
>>>>any rogue CA 
>>>>among the zillions that may be present in your trusted CA-directory.
>>>>
>>>>Wasn't that the main reason that we have our current ca 
>>>>signing policy 
>>>>files in the first place?
>>>>Did I miss anything?
>>>>
>>>>-Frank.
>>>>
>>>>
>>>>Mike Helm wrote:
>>>>
>>>>
>>>>>"Cowles, Robert D." writes:
>>>>> 
>>>>>
>>>>>
>>>>>>that the middleware includes a check of the CA when it compares
>>>>>>on DN, then what you say is correct.
>>>>>>   
>>>>>
>>>>>This is one of the essential problems with this service that
>>>>>has never been addressed as far as I know.  name constraints
>>>>>"be" an incomplete barrier.
>>>>>
>>>>>BTW, we have found this omission _useful_ in our past.
>>>>>
>>>>>We switched from a test, development lab CA (DOE Science 
>>>>
>>>>Grid) to a production
>>>>
>>>>
>>>>>quality CA (doegrids), and we used this property to ease 
>>>>
>>>>subscribers'
>>>>
>>>>
>>>>>transition to the new CA.  Lesson?  Overlapping name spaces
>>>>>might be useful!
>>>>>
>>>>> 
>>>>
>>>>-- 
>>>>Frank Siebenlist               franks at mcs.anl.gov
>>>>The Globus Alliance - Argonne National Laboratory
>>>>
>>>>
>>>
>>>
>>-- 
>>
>>*****************************************************************
>>David W. Chadwick, BSc PhD
>>Professor of Information Systems Security
>>The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>>Tel: +44 1227 82 3221
>>Fax +44 1227 762 811
>>Mobile: +44 77 96 44 7184
>>Email: D.W.Chadwick at kent.ac.uk
>>Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>Research Web site: http://sec.cs.kent.ac.uk
>>Entrust key validation string: MLJ9-DU5T-HV8J
>>PGP Key ID is 0xBC238DE5
>>
>>*****************************************************************
>>
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list