Name Constraints, was Re: [caops-wg] Re: ca signing policy file
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Oct 14 11:48:11 CDT 2005
Cowles, Robert D. wrote:
>
> The gridmapfile gives no clue as to CA or to VO.
>
> Why do PKI *users* care about 2)?
They dont (except to know which CA to go to). Name constraints is a
trust issue between CAs, they set the policies, and then the RPs enforce
them when giving access to their resources. Of course an RP can ignore a
CA's policy, and trust any cert it wanted to, but then it would be
entirely responsible for any losses incurred.
regards
David
Unless you consider
> the CA's to be "PKI users*.
>
> BC
>
>
>>Bob
>>
>>I think 2) is the main reason used by PKI users in general.
>>What are the design flaws in 1)?
>>
>>thanks
>>
>>David
>>
>>
>>Cowles, Robert D. wrote:
>>
>>>My impression of why we had the constraints were:
>>>
>>>(1) gridmapfile design flaw
>>>
>>>(2) the CA's wanted some limitations so as to help
>>> divide up the people coming to them ... so that
>>> one CA didn't have to issue certs for the whole
>>> world (since it's being done on pretty limited
>>> budgets).
>>>
>>>BC
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Frank Siebenlist [mailto:franks at mcs.anl.gov]
>>>>Sent: Wednesday, October 12, 2005 12:09 PM
>>>>To: helm at fionn.es.net
>>>>Cc: Cowles, Robert D.; David Chadwick; Von Welch; Tony J.
>>>>Genovese; CAOPS-WG; Olle Mulmo; Joni Hahkala; Jules Wolfrat;
>>>>Ron Trompert
>>>>Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca
>>>>signing policy file
>>>>
>>>>Sorry, but I have to disagree strongly.
>>>>
>>>>Having no name constraints and letting any CA issue any name
>>>>it wants,
>>>>puts all your trusted CAs on equal footing concerning the
>>
>>names they
>>
>>>>issue: any CA can overstep its policy boundaries concerning
>>>>the issued
>>>>names and you have no way to find out.
>>>>
>>>>Some form of enforced name constraining policy or localizing the
>>>>name-issuing to a CA is the only safeguard you have against
>>>>any rogue CA
>>>>among the zillions that may be present in your trusted CA-directory.
>>>>
>>>>Wasn't that the main reason that we have our current ca
>>>>signing policy
>>>>files in the first place?
>>>>Did I miss anything?
>>>>
>>>>-Frank.
>>>>
>>>>
>>>>Mike Helm wrote:
>>>>
>>>>
>>>>>"Cowles, Robert D." writes:
>>>>>
>>>>>
>>>>>
>>>>>>that the middleware includes a check of the CA when it compares
>>>>>>on DN, then what you say is correct.
>>>>>>
>>>>>
>>>>>This is one of the essential problems with this service that
>>>>>has never been addressed as far as I know. name constraints
>>>>>"be" an incomplete barrier.
>>>>>
>>>>>BTW, we have found this omission _useful_ in our past.
>>>>>
>>>>>We switched from a test, development lab CA (DOE Science
>>>>
>>>>Grid) to a production
>>>>
>>>>
>>>>>quality CA (doegrids), and we used this property to ease
>>>>
>>>>subscribers'
>>>>
>>>>
>>>>>transition to the new CA. Lesson? Overlapping name spaces
>>>>>might be useful!
>>>>>
>>>>>
>>>>
>>>>--
>>>>Frank Siebenlist franks at mcs.anl.gov
>>>>The Globus Alliance - Argonne National Laboratory
>>>>
>>>>
>>>
>>>
>>--
>>
>>*****************************************************************
>>David W. Chadwick, BSc PhD
>>Professor of Information Systems Security
>>The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>>Tel: +44 1227 82 3221
>>Fax +44 1227 762 811
>>Mobile: +44 77 96 44 7184
>>Email: D.W.Chadwick at kent.ac.uk
>>Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>Research Web site: http://sec.cs.kent.ac.uk
>>Entrust key validation string: MLJ9-DU5T-HV8J
>>PGP Key ID is 0xBC238DE5
>>
>>*****************************************************************
>>
>
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list