Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Cowles, Robert D.
rdc at slac.stanford.edu
Sat Oct 15 18:56:56 CDT 2005
> -----Original Message-----
> From: Frank Siebenlist [mailto:franks at mcs.anl.gov]
> Sent: Wednesday, October 12, 2005 9:06 PM
...
>
> Note that with Kerberos cross-realm authentication, one realm
> is unable
> to issue credentials for the director of the other institute...
Isn't the kerberos realm included in the token, thereby providing
the equivalent of the CA information?
>
> With your proposed scheme, any "trusted" CA in Italy, Germany, even
> Holland..., would have the theoretical opportunity to issue a
> certificate that would impersonate the director of Berkeley, NCSA,
> Livermore, Los Alamos... and we would have no way to enforce
> any policy in real-time that could prevent it.
Impersonate? How?
One of the points of this discussion is that there isn't enough
information in the certificate to be able to use it reliably for
knowing who someone is unless it's surrounded by a lot of other
"context" (like registering with a VO and saying "here is my
certificate"). The only way we could tell whether the Frank
Siebenlist a certificate refers to is you is if it contains a
lot of personally identification information (PII) about you
(MMN, phone, SSN, birhtdate) ... all the kind of stuff that we've
learned to NOT make available in a public setting.
As David has pointed out, there's no real difference between
having the CA's divide up the space of DN's or having them each
have a unique CA name that we then append to the DN to get
something globally unique.
More information about the caops-wg
mailing list