[caops-wg] Proxy certificate revocation text
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Feb 10 08:27:32 CST 2006
Hi Oscar and Jesus
Your document says
"it is highly recommended that only End Entities revoke their own Proxy
Certificates.
If a third party is required to perform this process (i.e. resource
owners and local security administrators), it is recommended to notify
of such revocation the corresponding End Entity from the Proxy
Validation Path so appropriate counteractive actions can take place.
However, as mentioned previously, third party revocation is not a
recommended practice from a security point of view."
I would actually go further than you do, and say that no-one is allowed
to revoke a proxy certificate except its creator or an authorised
delegate of the creator. Allowing anyone else to revoke a proxy is
equivalent of allowing a DOS attack on the proxy. On the other hand, a
resource owner is the source of authority for his own resource, and can
trust or distrust any certs that he wants to (PKC and AC). Therefore a
resource owner can blacklist anything from using his resource. But this
is not revocation of a proxy cert, since the proxy cert is still
authentic and can still be used at other resources that trust it. It
simply isnt valid for use at the local resource. Revocation on the other
hand ensures that no-one should trust the proxy cert, since the issuer
is saying that it is no longer valid.
regards
David
jluna at ac.upc.edu wrote:
> Hi!
> You will find attached to this message our proposed text for the Proxy
> Revocation topic, taking into account some comments from D. Chadwick as
> mentioned in the teleconferece.
>
> Best regards,
> Oscar & Jesus
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the caops-wg
mailing list