AW: [igtf-general] Re: [caops-wg] Certificate Profile document, update v0.5
David Groep
davidg at nikhef.nl
Wed Aug 16 06:48:16 CDT 2006
Hi Ursula, all,
Epting, Ursula wrote:
> Dear Jens, David and all, the document is very well done, good work! I've
> added some small comments and (possible) corrections of typos (using word
> track changes on Jens' doc, after accepting all his changes)
I've merged these in and produced version 0.8 - now on the web at
http://www.eugridpma.org/temporary/
Most of the comments I've just merged, some are discussed below:
* in section 2.1, on the serial number stuff:
I've created a new subsection ("2.2 Serial Number") and put all this
text there.
* in section 3.1, "version number must be set to "2"":
this is indeed the encoding of the version number in the first INTEGER
of the certificate
* section 3.2.1 "dNSName" and others
funky capitalisation taken from the standards documents (where things
never start with a capital letter)
* On the Unicore need for "nsCertType: server, client"
I've not seen this requirement before (of having a need for
*both* server *and* client being asserted here). If you can
dig up the email, I'll be very happy. Please do.
* Section 4.2 "Key lengths and hashed"
Since SHA-256 is not supported, we'll have to live with SHA-1
for the time being, despite it having only 80 bits effective.
Thanks a lot,
DavidG.
>
> Mit freundlichen Gruessen/ With kind regards
>
> Ursula Epting
>
> Ursula Epting Forschungszentrum Karlsruhe Institut fuer Wissenschaftliches
> Rechnen (IWR) Grid Infrastruktur und Services (GIS) Tel. +049 (0)7247-82-6786
> Fax +049 (0)7247-82-7786 e-mail: ursula.epting at iwr.fzk.de
> ----------------------------------------------- GridKa-Zertifikat
> SHA1-Fingerprint:
> 0B:DD:25:06:98:74:D6:81:DD:1E:AF:2F:AD:7A:EA:10:75:CE:7E:6E
> -----------------------------------------------
> **************************************************************************
> The Institute for Scientific Computing of Forschungszentrum Karlsruhe will
> again run its annual GridKa School from September 11-15, 2006. Please find
> further information at http://www.fzk.de/gks06 .
> **************************************************************************
>
>
>
>
>
>> -----Ursprüngliche Nachricht----- Von: Jensen, J (Jens)
>> [mailto:J.Jensen at rl.ac.uk] Gesendet: Dienstag, 15. August 2006 09:31 An:
>> David Groep; dg-eur-ca at services.cnrs.fr Cc: All IGTF Members
>> (igtf-general); CAOPS-WG Betreff: RE: [igtf-general] Re: [caops-wg]
>> Certificate Profile document, update v0.5
>>
>>
>> David, I have now finally had time to go through the document and made only
>> a few changes. And fixed a few bugs, like commonName cannot use IA5String
>> as encoding. I used Word's change tracker.
>>
>> http://www.grid-support.ac.uk/files/eugridpma-certprofile-2006
>> 0814-0-6-jens.doc
>>
>> What would be the consequences of saying in 4.1 "RDNs MUST be in the Right
>> Order". Will we lose SWITCH and Purdue?
>>
>> Would it be worth expanding section 5 into a general annotated openssl.cnf?
>> If new CAs feel this would be useful, I will be happy to provide something
>> (if so, please reply to me).
>>
>> The document has also gradually started to describe how software deals with
>> certificates - browsers, OpenLDAP, etc. This could be expanded.
>>
>> Thanks, --jens
>>
>>
>> -----Original Message----- From: owner-caops-wg at ggf.org
>> [mailto:owner-caops-wg at ggf.org]On Behalf Of David Groep Sent: 14 August
>> 2006 13:08 To: dg-eur-ca at services.cnrs.fr Cc: All IGTF Members
>> (igtf-general); CAOPS-WG Subject: Re: [igtf-general] Re: [caops-wg]
>> Certificate Profile document, update v0.5
>>
>>
>> Hi Reimer,
>>
>> Thanks for the comments. Answers in-line, and a new document is on the web
>> at
>>
>>
>> http://www.eugridpma.org/temporary/eugridpma-certprofile-20060 814-0-6.pdf
>>
>> http://www.eugridpma.org/temporary/eugridpma-certprofile-20060 814-0-6.doc
>>
>>
>> Reimer Karlsen-Masur, DFN-CERT wrote:
>>
>>> ... In section 2.2:
>>>
>>> Within the Issuer and Subject DNs, the following attributes
>>
>> *are known
>>
>>> to cause problems*:
>>
>> That was a piece of legacy text that I ought to have removed. As the
>> document was restructure, this is now a plain list of attributeTypes.
>>
>>
>>> 2.2.4 DomainComponent, country, organization,
>>
>> organizationalUnit, etc.
>>
>>> ... 2.2.5 commonName ...
>>>
>>> I am confused. Why are these causing problems, except maybe for multiple
>>> RDNs of same name (except for DCs)?
>>
>> Multiple "O"'s are OK, and even multiple CNs are rumoured to be OK (the
>> CERN-IS CA will find out :-)
>>
>>
>>> In section 3.3.8 only some forms of the AKI block the in-place
>>> replacement of CA certificates. If the AKI does only
>>
>> contain the hash
>>
>>> value I think it is working fine. IMO this hash only
>>
>> changes if the CA
>>
>>> key changes. And "in-place replacement" means extending the
>>
>> lifetime of
>>
>>> a CA certificate and maybe changing the serial number but
>>
>> nothing else,
>>
>>> right?
>>>
>>> If the AKI of an EE cert contains the dirname (i.e. the
>>
>> subject DN) of
>>
>>> the issuing CA issuing CA (note: this is the right number
>>
>> of repetitions
>>
>>> of "issuing CA" cause it is the *issuer* DN of the EE certs
>>
>> issuing CA
>>
>>> cert) plus the EE certs issuing CAs certificate serial number the
>>> problems start when the replacement CA certificate gets a
>>
>> new serial
>>
>>> number (which it should as to sections above).
>>>
>>> When an in-place CA cert replacement is eventually planned
>>
>> for in the
>>
>>> future and this will come with a CA key change, above does
>>
>> not apply and
>>
>>> it is better to not use AKIs at all.
>>
>> This updated text should be better: The authorityKeyIdentifier is not
>> usually interpreted by the software. It is not known to cause issues with
>> grid software, as it is ignored. The extension MUST NOT be marked critical.
>>
>>
>> If the AKI contains information that changes when the CA certificate is
>> modified, it will block any "smooth" replacement of CA certificates (i.e.
>> updating a CA certificate to modify the expiry date). Possible attributes
>> in AKI include the directoryName of the authority that issued the issuer
>> certificate (safe as it should not change) plus the serial number (which
>> may or may not change), and/or the keyId of the end-entity issuing CA. If
>> the keyIdentifier has been generated using one of the two recommended
>> methods from RFC3280 (i.e. is purely derived from the public key value), it
>> will not impair smooth replacement.
>>
>>
>>
>>> AKIs are also used in (Sub-)CA certificates, so similar apply there.
>>>
>>> In section 3.3.12 the AIA could additionally/alternatively hold the
>>> issuing CAs certificate download URI. Can also be set in Sub-CA
>>> certificates. This can be used to automatically retrieve CA
>>
>> certs for
>>
>>> validation path building and path validation. IMO at least
>>
>> Microsoft's
>>
>>> smart card Single-Sign-Logon is using these.
>>
>> Added to 3.3.12.
>>
>> Cheers, DavidG.
>>
>>
>>
>> -- David Groep
>>
>> ** National Institute for Nuclear and High Energy Physics, PDP/Grid group
>> ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam
>> NL **
>>
>>
>>
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
More information about the caops-wg
mailing list