Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Cowles, Robert D.
rdc at slac.stanford.edu
Sat Oct 15 21:24:21 CDT 2005
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Friday, October 14, 2005 9:48 AM
...
> Cowles, Robert D. wrote:
> >
> > The gridmapfile gives no clue as to CA or to VO.
> >
> > Why do PKI *users* care about 2)?
>
> They dont (except to know which CA to go to). Name constraints is a
> trust issue between CAs, they set the policies, and then the
> RPs enforce
> them when giving access to their resources. Of course an RP
> can ignore a
> CA's policy, and trust any cert it wanted to, but then it would be
> entirely responsible for any losses incurred.
>
> regards
> David
Precisely .. it's between CA's. When I brought up the issue of
signing policy several year ago it was in the context that we weren't
telling the relying parties that the authentication mechanism
relied on the signing policy file and in keeping the DN's for the
CA's to be disjoint sets. A site could easily believe that another
CA was entirely trustworthy in authenticating users (e. g. Verisign
rather than Thawte) and not realize that if the set of DN's you could
get Versign to issue overlapped with one of the other CA's then you
no longer had viable authentication, eventhough all the Ca's were
doing their job and you correctly described the certificates that
could be trusted in the signing policy file.
My point is that we always say it's up to the RP to put any CA in
the list of trusted CA's but we weren't saying that the DN's MUST
NOT overlap those from any other trusted CA.
More information about the caops-wg
mailing list